Wiper malware is used for wiping, overwriting, or removing data from a victim’s infected device. Unlike other methods of infection like ransomware, wiper malware is not used by threat actors for financial gain, it is used for purely destructive means. Wiper malware is also observed in the aftermath of data theft operations, and in these circumstances, it is used by threat actors to obfuscate the data theft campaign and to help them avoid detection. Wipers aim to create maximum devastation in the minimum amount of time. They generally have three targets: files/data, the boot section of the operating system and backups, often targeting all three.
Wiper malware attacks are also highly overt, meaning that they do not subtly impact a victim or a network in the background, but they do delete data from hard drives very publicly. Wipers aim to cause maximum devastation in a minimum amount of time and generally have three targets: files (data), the boot section of the operating system and backups. They often targeting all three.
Since deleting or overwriting all files on a disk can take time, wipers often affect the files partially, rendering them unusable. In some cases, wiper attacks choose to damage specific files according to file type or other target parameters. Some instances use another tactic, much like ransomware, to encrypt various key areas of the disk drive. Unlike ransomware, however, wiper malware uses “key-less” encryption, meaning that there is no decryption key, so the encryption cause by the malware is irreversible. Wipers also target the Master File Table (MFT) which stores information that describes any file on a computer. This includes access permissions, creation dates, and disk location. When the MFT is damaged, the files stored on a disk become unrecoverable.
The Master Boot Record (MBR) contains information about the filesystem, disk partitions, and can call upon the boot loaders in Volume Boot Records (VBRs). If either the MBR or VBR are damaged or altered, the computer won’t be able to boot the Operating System (OS) and load the filesystem. Unlike files, which take time to destroy or overwrite, the MBR/VBRs can be changed quickly, and the computer will become unbootable. MBR/VBRs can be damaged either through key-less encryption, or corruption of the record’s data, such as overwriting).
Incidents involving wiper malware do everything to ensure that targeted data is unrecoverable. Therefore, often wiper operations not only target files and the boot sector of a device but they also target the features in an operating system that can help restore damaged file systems. For example, they may aim to delete volume shadow copies, a backup feature, and attack a recovery console. By destroying backups, they ensure that their victims are unable to salvage any data.
According to our research, wiper malware is primarily used by cyber activists and nation-state threat actors including, the Iranian group Agrius and the Russian state actor Sandworm. Incidents include the targeting of Israeli organisations by the Iranian group Agrius with wiper malware disguised as ransomware, the NotPetya operation that impacted companies worldwide including FedEx which estimated a loss of $200 to $300 million and the GermanWiper malware incident that deleted files and was spread by spam emails.
Mitigations to wiper malware include the segmenting of a network. Ensuring that crucial data can only be accessed by a few users. It is also important to have files and data backed up in another location. For businesses, this could be on another server separate to the business network and for individuals, using a removable hard drive or a separate secure cloud-based storage solution could be used.