• Wiper is a kind of malware that intends to destroy data and/or the systems it infects.
  • The motive could be sending a message, introducing fear, or erasing any trace of activity.

Because there is almost no chance of recovering the data, wiper attacks can be fatal to organizations. The wipers may destroy data without impacting systems, or vice versa.

Analyzing wipers

Most wipers have three targets — data files, boot system of the machines’ operating system, and backup of data and system.

Some wipers rewrite a targeted list of files, some rewrite all files inside specific folders, some target only the first few bytes of all files to destroy headers, and some overwrite a particular amount of files every other amount. These methodologies are implemented to be more efficient, as destroying the files takes the maximum amount of time for this class of malware.

Destroying backup usually involves the malware deleting the shadow copies of files. The original operating system is rendered unbootable by either erasing the first 10 sectors of the physical disks or by rewriting these sectors.

Notorious wipers in the wild

This malware has been around for a while now, and a few of them have caught our attention with their large-scale activities.

  • A wiper named Flame was uncovered to be infected systems in the middle eastern countries.
  • Shamoon wiper is believed to have impacted at least 30,000 computers at Saudi Aramco. The systems were completely wiped and unbootable.
  • In 2013, a wiper named Dark Seoul infected South Korea’s banks and broadcasting agencies in a coordinated attack.
  • Sony Pictures Entertainment was the victim of an attack by Destover wiper. It leaked confidential data and rendered a number of machines unusable.
  • The Petya malware was discovered to be a wiper disguised as a ransomware. This means that even after victims paid their ransom, their data couldn’t be recovered.
  • German-speaking users were recently targeted by the Ordinypt wiper malware. The campaign involved phishing emails pretending to be a job application.

Defending against wipers

The defensive mechanisms against wipers are similar to that of malware. Experts recommend swift action as allowing the malware to stay on the system longer enables it to cause more damage.

  • Having a Cybersecurity Incident Response Plan (CSIRP) in place can help you and your team respond appropriately to the attack. The plan must clearly define the roles and responsibilities of different teams in the organization.
  • In the case of a wiper attack, it is essential to isolate the affected network to prevent the malware from spreading.
  • Trusting the entire organization’s security to a single technology makes the line of defense quite weak. The traffic of the internal network must be strictly monitored.
Cyware Publisher