Wiper Malware is Today’s Biggest Risk to Data
Take steps now to guard against devastating wiper malware
The cybersecurity landscape is rife with ransomware attacks, and the news is full of stories about organizations falling prey to ransomware gangs every day. When that happens, businesses have to shell out millions of dollars in ransom money to get their data back. However, cybercriminals have a more devastating weapon in their arsenal that doesn’t tend to get as much press as ransomware: wiper malware. This awful attack goes a step beyond ransomware by completely and thoroughly erasing the victim’s data in its wake, making it a nightmare for companies to recover. But there are preventative measures that businesses and MSPs can take to mitigate their risk of disaster.
Why wiper malware is an existential threat for organizations
As the name implies, the prime objective of wiper malware is to totally erase the hard disk of the victim machine and destroy all the data irreversibly. The malware attacks the physical location where the data is stored and deletes it permanently from the systems it traverses. Once this data assassin enters an organization’s environment, it spreads throughout the network quickly and deletes everything in its path, completely wiping out the data and making it unrecoverable. Many cybercriminal gangs use wipers to cover up their traces after an intrusion, weakening their victim’s ability to respond.
Wiper malware leverage many of the typical Tactics, Techniques, and Procedures (TTP) that common ransomware uses, but there is no possibility of recovering the files. Think of them as ransomware attacks without any decryption keys. Wiper malware first gained notoriety in 2012, when Saudi Arabia’s Saudi Aramco and Qatar’s RasGas oil companies were attacked using the Shamoon family of wipers.
Although wipers are sometimes used by bad actors across all sectors, nation-state threat actors have taken a particular liking for this malware. They attack the critical infrastructure of rival nations with wiper malware for a quick, vicious blow that can cause widespread disruption to the victim country’s infrastructure or operations. The Russia-Ukraine war gave rise to a new round of wiper malware attacks in 2022, as several versions of wipers were used to disrupt the critical infrastructure of Ukrainian systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an advisory to businesses and government agencies advising vigilance against new strains of wiper malware that emerged during that conflict.
How do wipers destroy data?
The most straightforward way to wipe out data from a system is to overwrite the data in a specific physical location with other data. This process is arduous for cybercriminals as they have to write several gigabytes or terabytes of data, which is highly time-consuming and can open them up to detection. But wiper malware greatly speeds up that process by first destroying two particular files in the system and then erasing the data in minutes.
The first file that gets annihilated in a wiper malware attack is the Master Boot Record (MBR), which identifies the operating system’s location during the boot process. If the cybercriminals succeed in destroying the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used, and sometimes that won’t even work.
The next to go is the Master File Table (MFT), which exists in every NTFS file system, containing the physical location of files in the drive, their logical and physical size and other related metadata. As many big files cannot use consecutive blocks in the hard drive, they are fragmented to accommodate the storage of large files. The MFT comes in handy here, as it stores the information of where each fragment is present in the drive. If the cybercriminals get hold of your MFT, you can still access your small files using forensic tools but accessing large files is practically impossible since the link between fragments is lost. This is a critical step in making data unrecoverable.
How much is data really worth on the dark web? Find out in The IT Professionals Guide to the Dark Web! GET EBOOK>>
A timeline of wiper malware
There have been many strains of wiper malware in action since 2012 including these varieties.
- Shamoon: First reported wiper that attacked Saudi Aramco and Qatar’s RasGas oil companies in 2012.
- Dark Seoul: Reported in 2013, this malware attacked South Korean media and financial companies.
- Shamoon: The same wiper returned in 2016 to attack Saud Arabian organizations again.
- NotPetya, 2017: One of the most devastating wipers due to its self-propagation capability, Notpetya was launched by Russian-back cybercriminal gangs that targeted Ukrainian organizations.
- Olympic Destroyer: In 2018 was launched to disrupt the Winter Olympics in South Korea.
- Ordinypt: Also known as the GermanWiper, Ordinypt targeted German organizations with phishing emails in 2019.
- Dustman: In 2019, Iranian state-sponsored threat actors attacked Bahrain’s national oil company, Bapco, with Dustman wiper.
- ZeroCleare: This wiper attacked many energy companies in the Middle East in 2020.
- WhisperKill: This wiper malware attacked Ukrainian organizations in 2022.
- WhisperGate: In 2022, WhisperGate attacked 22 Ukrainian government agency websites and destroyed their data.
- HermeticWiper: The HermeticWiper attack came just hours after a series of DDoS attacks in 2022 that knocked down hundreds of Ukrainian systems.
- IsaacWiper: A less sophisticated wiper than its other counterparts this wiper attacked Ukrainian organizations in 2022.
- CaddyWiper: CaddyWiper destroyed user data and partition information from attached drives on several dozen systems in a number of Ukrainian government organizations in 2022.
- DoupleZero: The attack was again launched by Russian cybercriminals gangs in 2022 to disrupt Ukrainian organizations.
- AcidRain, 2022: It is the most recent wiper, a part of a significant supply chain attack aimed at crippling Viasat’s KA-SAT satellite service.
Explore how AI technology helps businesses mount a strong defense against phishing GET INFOGRAPHIC>>
Some preventive measures against wiper malware
A wiper attack is tricky to detect and contain. Unlike common malware attacks that come with hallmark signs of their presence, wipers erase all traces of their existence once they have wiped the data. This makes it difficult for cybersecurity teams to respond to these attacks and prevent them from spreading. Therefore, all organizations must implement robust, multi-layered security measures to defend against wiper malware.
Here are some of the solutions and preventative measures that can help:
Managed SOC: Having a team of experts with the latest weapons like a ransomware detection tool on guard 24/7/365 is a tremendous asset against cyber threats like wiper malware, but setting up a security operations center and staffing it is expensive. A managed SOC puts all the benefits to work for a business without the onerous set-up and payroll cost, bringing that type of powerful protection within reach for any MSP or business.
Malware protection solution: cybercriminals use many different malware and techniques to bypass an organization’s defense. Malware protection solutions keep track of malware and attack procedures and update themselves to thwart threat actors’ attempts.
Security awareness training: Informed end-users are the biggest and best bulwark against most cyber threats. With regular security awareness training, most employees will be able to identify odd attachments, phishing attempts and other anomalies, preventing many dangerous cyberattacks like ransomware and malware from breaching an organization’s defense.
Disaster recovery plan: A good disaster recovery plan reduces an attack’s impact and helps organizations get back to their feet faster. With regular backups, recovery time and data loss are minimized.
Regular software updates: Unpatched software is one of the most significant security vulnerabilities. Software patches provide necessary protection against all the latest vulnerabilities and play a key role in preventing attackers from leveraging these applications for system access.
Get expert help to mitigate this risk with Kaseya’s Managed SOC & BullPhish ID
Managed SOC powered by RocketCyber protects businesses from cyberattacks like wiper malware by monitoring them around the clock for any suspicious network activity. It puts the power of years of expertise at your fingertips without breaking the bank. Detect, triage and stop advanced threats with a world-class MDR solution that offers an innovative, affordable and effective way to power up your security.
Kaseya’s Managed SOC includes:
- Continuous monitoring: Round-the-clock protection with real-time advanced threat detection.
- Expertise on-demand: Get the cybersecurity expertise you need to keep your organization out of trouble without adding to your headcount.
- Breach detection: Thwart sophisticated and advanced threats that bypass traditional AV and perimeter security solutions.
- Threat hunting: Focus on other pressing matters while an elite cybersecurity team proactively hunts for malicious activities.
- No hardware requirements: Patent-pending, cloud-based technology eliminates the need for costly and complex on-premises hardware.
- Ransomware detection is now included at no additional charge!
BullPhish ID is an affordable security awareness training solution and the industry leader in phishing simulations. This solution contains all IT professionals’ tools to run great training programs. The wide variety of training materials ensures that employees gain cybersecurity knowledge to prevent malware attacks like wiper malware. The robust array of features, including automated delivery, ensures that running a training program is a snap for you.
Here are some of the distinguishing features of BullPhish ID:
- New training videos and new phishing kits added monthly to keep training current.
- Simplify compliance training with video lessons that make complex requirements easy to understand.
- Train your way and on your schedule with plug-and-play phishing simulation kits or customizable content that can be tailored to fit your industry’s unique threats.
- Access training in eight languages: English, Dutch, French (European & Canadian), German, Italian, Portuguese and Spanish (European & Latin).
- Leverage in-lesson quizzes and simple, easy-to-read reports to see the value of training and know who needs additional support.
- Simplify the training process and make it convenient for every employee with a personalized user portal.
- Automatically generate and send reports to stakeholders.
Want to learn more about security awareness training and how BullPhish ID can help secure your company and save you money? Explore the benefits of training with BullPhish ID today.
Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>