As the war between Russia and Ukraine continues, there has been a sudden rise in the deployment of wiper malware. While they have not been attributed to Russia-based threat actors, their motives align with the Russian military’s. Now, Fortinet researchers discovered that wiper malware is not only being used to target Ukraine, but also other countries. 

Diving into details

  • The first six months of 2022 witnessed seven new wiper variants that were used in campaigns against private, government, and military organizations.
  • Wiper malware attacks were detected in 24 nations, besides Ukraine. 
  • Among these, disk wiping malware has become unstoppable as they are used to target critical infrastructure.
  • These malware use techniques such as overwriting and encrypting files, overwriting MBR, and third-party tooling, among others, to destroy the victims’ data.

Why this matters

  • Financial gain is one of the motivators behind the widespread deployment of wipers, although a less significant one. There are wipers that pretend to be ransomware and ask for ransom but don’t possess any capability to recover data. 
  • Cyberespionage is another driver as when only data is destroyed without any other consequences, it leads to one conclusion. A wiper is deployed once the attackers pilfer the information they need.
  • Lately, wipers have been used for cyberwarfare. These malware strains include WhisperGate, WhisperKill, HermeticWiper, CaddyWiper, IsaacWiper, AcidRain, and DoubleZero.

The bottom line

Analysis of adversary strategies reveals that threat actors are constantly evolving their tactics and leveraging ongoing geopolitical conflicts as a conduit for injecting their malicious wares. Therefore, the most crucial countermeasure for staying safe from wiper attacks is to ensure you have a proper backup of all your data - off-site and offline. Furthermore, proper network segmentation, disaster recovery plan, and incident response should be implemented to ensure quick recovery from any incident.
Cyware Publisher