adarma_logo_twgt-black[11615449]
adarma_logo_twgt-black[11615449]
Assessments
All Cybersecurity Assessments

Improve security maturity and capability while reducing risk
Cyber Maturity Assessment

Define, measure and improve your security posture
SOC Maturity Assessment

Understand and improve the capability and maturity of your SOC
SIEM Assessment

Your roadmap to increase the performance and value of your SIEM
Crisis Simulation Assessment

Stress-test your organisation’s cyber response capability

Latest Insights

New blog imagery - 4
Blog
Nov 4

Black Friday Cyber Threats: Cyber Resilience Strategies for Retailers
Threat Intelligence Exposure Management
Detection & Response
Managed SOC

Delivering today’s capability, while staying adaptable for tomorrow’s threat
Microsoft MDR Solution

Maximise the potential of your Microsoft E5 License
SOC Engineering

We help design, build, and integrate the security operations capability you need
Incident Response

Intelligence-led preparation, practice and real-world cyber incident response
Socket Platform
About Us
We Are Adarma

Your partner for effective cyber threat management
ESG

Protecting the promise of cyber resilience
Partners

Working in partnership to make the world a safer place
Careers

Become a Cyber Defender
Contact Us

Get in touch today
Insights
Cyber Hub
Cyber Insiders
News & Blog
SIEM Transformation
Future-Ready SOC Report
SecOps Excellence
Events
Share:
June 14, 2024

Dissecting Wiper Malware: History, Mechanisms and Defences

Cian Heasley, Threat Lead, Adarma

What is wiper malware?

Wiper malware is a type of malicious software designed to destroy data, rendering it permanently inaccessible and unusable. Unlike ransomware, which typically aims to enable restored access after a ransom is paid, wiper malware’s sole purpose is to permanently obliterate data. This can be accomplished by encrypting or overwriting the contents of files, or by attacking the operating system to make the data irretrievable.

Wiper malware has historically been less common than other types of malware due to its lack of profitability for attackers. Unlike financially motivated malware, its primary purpose is disruption and destruction. This makes it a preferred tool for nation-state actors and hacktivists rather than cybercriminals seeking monetary gain.

Wiper malware first gained notoriety in 2012 with high-profile attacks on Saudi Arabia’s Saudi Aramco and Qatar’s RasGas oil companies. The Shamoon family of wipers was used in these attacks, causing significant disruption by wiping out over 35,000 computers at Saudi Aramco alone.

In 2014, wiper malware featured prominently in the Sony Pictures attack. The group, believed to be linked to the North Korean APT Lazarus Group, executed wiper functionality that early 2015 Sony Pictures set aside $15 million for remediation and dealing with the ongoing damage.

More recently, since the onset of Russia’s war on Ukraine, the use of wiper malware has surged. Ukrainian government institutions have been targeted by various wipers, including CaddyWiper, DoubleZero, DriveSlayer, IsaacWiper, KillDisk, and WhisperGate.

In 2023, an affiliate of the Lockbit ransomware gang publicly discussed using wiper malware to attack companies that refused to negotiate a payment, This indicates we may see more usage of wiper malware by groups not linked to nation-states or hacktivists, due to its significant impact on organisations.

Wiper Malware Techniques

Wiper malware employs various techniques to destroy data:

1. Overwriting Files: This involves replacing the file contents with random data, making the original data unrecoverable.

2. Encrypting Files: Encrypting files without providing a decryption key ensures the data remains inaccessible.

3. Overwriting MBR (Master Boot Record): This method corrupts the data necessary for the operating system to boot, effectively disabling the system.

4. Overwriting MFT (Master File Table): By corrupting the MFT, which is essential for file system integrity, the malware makes data retrieval impossible.

5. Using IOCTL (Input Output Control) Commands: These commands allow direct communication with the hardware, which can be exploited to wipe data at a low level.

6. Third-Party Tooling: Some wipers use legitimate software tools to carry out their destructive tasks, making prevention, detection and attribution more difficult.

How to Defend Against Wiper Malware

Defending against wiper malware requires a multi-layered approach that includes preventive measures, detection, and response strategies. Here are some recommendations to minimise the impact of wiper malware:

1. Regular Backups: Maintain frequent and secure backups of critical data, ensuring they are stored offline or in immutable storage.

2. Endpoint Protection: Deploy advanced endpoint protection solutions that can detect and block malicious activities, including file overwriting and MBR/MFT tampering.

3. Network Segmentation: Implement network segmentation to limit the spread of malware across your organisation.

4. Incident Response Plan: Develop and regularly update an incident response plan to contain and mitigate the impact of a wiper attack quickly.

5. User Education: Educate employees about the risks and signs of cyberattacks, including phishing schemes that often deliver malware.

6. Patch Management: Ensure all systems and software are up-to-date with the latest security patches to close vulnerabilities that could be exploited by attackers.

7. Monitoring and Logging: Implement robust monitoring and logging practices to detect unusual activities that could indicate a wiper attack in progress.

By understanding the history, techniques, and defence against wiper malware, organisations can better prepare and protect themselves from these devastating cyber threats. Stay vigilant and proactive in your cybersecurity practices to minimise the risk and impact of wiper malware attacks.

How Adarma Helps

Adarma’s Security Operations Center (SOC) analysts and threat specialists have extensive hands-on experience in detecting and managing incidents caused by initial access vectors, among them the vectors which are often precursors to wiper malware compromises. Currently, the Adarma Threat Team is actively monitoring seven known strains of wiper malware.

Meanwhile, Adarma’s Cyber Threat Intelligence (CTI) analysts continuously track multiple wiper malware campaigns and gather related indicators of compromise (IOCs). These IOCs are then compared against incoming data on the platforms supported by Adarma, enabling swift identification of matches for immediate response and remediation.

In addition, ongoing research is underway to develop threat-hunting capabilities and detection content. This research focuses on the tactics and techniques employed by government-linked Advanced Persistent Threats (APTs) and hacktivist groups that have used wiper malware in the past or voiced threats to do so.

Adarma’s approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. With tailored threat intelligence, technological solutions, and strategic consultations that cater to customers’ specific security requirements and business goals, Adarma delivers a balanced approach between security and operational efficiency.

Discover our tailored services and discover why we are the preferred security partner for FTSE 350 firms.

Let’s Talk

If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.

To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.

You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.

Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.

Contact Us