In today’s world, everyone knows that there is nothing more important to an organization than the data in its possession. Everything from the simplest of internal communication to all the everyday business operations can come to a standstill if a company’s data suddenly disappears. The loss of data on such a massive scale is one of the most terrifying nightmares for a business owner. And Wiper malware is the nightmare given form!
In this blog, we’ll discuss everything there’s to know about Wiper malware and the extent of damage it can inflict upon an organization.
WHAT IS WIPER MALWARE?
The wiper is a type of malware that is primarily designed to destroy an organization’s data, which can lead to massive financial losses and irreparable damage to the company’s reputation. This malware is quite different from other cyber attack vectors as its primary goal is not to steal money or sensitive information but to destroy data. The two major reasons behind the use of destructive Wiper malware are to send a message or to cover up the attacker’s tracks after the exfiltration of data.
HOW DOES WIPER MALWARE WORK?
There are many Wipers, each of which works in a slightly different way. However, this family of malware always has the same three targets- files (data), the system boot section, and the backups stored. More often than not, this malware target all three.
File destruction is the most time-consuming of these three targets. As it can take too much time to overwrite or delete all the files on a disk, most Wipers affect the files partially in a way that renders them unusable. They do this by writing a certain amount of data at random data intervals, destroying the files randomly. In some cases, Wipers damage specific files depending on the file type or other parameters instead of destroying them all.
Another popular tactic employed by Wipers is to encrypt the disk drive’s various key points. However, unlike ransomware, this malware uses “key-less” encryption to make it irreversible. The attack on a disk’s files usually ends with an assault on the system recovery tools to prevent recovery. Wipers also attack the Master File Table (MFT), which stores all the information associated with all the files on the infected computer including creation dates, disk location, and access permissions.
A destructive Wiper malware often damages the Master Boot Records (MBRs) and Volume Boot Records (VBRs) either corrupting the record’s data (overwriting) or key-less encryption. The MBR stores information about disk partitions and the filesystem. It can invoke the boot leaders in VBRs. Once the malware alters or damages the VBR or/and the MBR, the infected system is rendered incapable of booting the OS and loading the filesystem. Also, unlike files, which can take a long while to overwrite or destroy, the MBRs/VBRs can be damaged or altered in seconds, making the computer unbootable.
Several Wiper variants are designed to prevent file restoration efforts by damaging backup processes and systems before beginning the attack on the hard disks. This malware does everything it can to completely destroy the data and any hope for recovering it. So, in addition to attacking the files and the boot section, Wiper malware also assaults those features in the operating system that may be able to help in restoring the damaged files.
For example, it deletes volume shadow copies, which is a Windows backup feature. It also attacks the Windows Recovery Console, which is a command-line interface using a range of tools to assist in the restoration of Windows to a normal state. Wiper malware thoroughly destroys the backups to ensure that the victims can never salvage or recover any of the destroyed data.
REAL-LIFE EXAMPLES OF A WIPER MALWARE ATTACK
Wiper malware has brought several big organizations and entire governments to their knees. Its variants have been used in several high-profile and disruptive attacks all around the globe. Following are some of the major examples of Wipers and how they created some serious problems and security issues.
Shamoon is an infamous Wiper variant that wreaked havoc on Saudi Aramco and several other Middle Eastern oil companies in 2012. The world’s largest crude exporter Saudi Arabia-based Saudi Aramco was hit by this malware, which entered its network through personal computers. This attack permanently destroyed the hard drives of over 30,000 workstations.
Shamoon goes to great lengths to prevent the victims from recovering any of the destroyed data. With self-propagation capabilities, it spreads from computer to computer via shared network disks. This variant of the wiper malware overwrites disks with a small portion of a JPEG image. It utilizes a legitimate system driver to obtain low-level access to a hard drive for wiping the master boot record, preventing the systems from booting up.
Read more on Recent Cyber Attacks on Government Agencies
Meteor is a newly discovered reusable wiper malware that derailed websites of Iran’s national railway system and its transport ministry in July 2021. The attack caused widespread disruptions in the country’s train services. The attackers defaced all the electronic displays that instructed the passengers to call the Iranian Supreme Leader Ayatollah Ali Khamenei’s office with their complaints. With hundreds of trains canceled or delayed, the incident resulted in utter chaos at stations.
Meteor is an externally configurable wiper variant possessing an extensive set of features such as the ability to delete shadow copies, change user passwords, disable recovery mode, execute malicious commands, and terminate arbitrary processes.
ZeroCleare is another notorious variant of the Wiper malware designed to delete as much data as possible from the targeted systems. In 2019, it was deployed in vicious cyber attacks against several energy companies across the Middle East. ZeroCleare aims to overwrite the disk partitions and master boot record (MBR) on Windows-based machines using EldoS RawDisk.
The Wiper used malicious PowerShell/Batch scripts and an intentionally vulnerable driver to bypass Windows controls and gain access to the device’s core. It successfully spread to a number of devices on the affected network and adversely infected thousands of systems, making them vulnerable to future attacks.
HOW TO MITIGATE THE RISK OF A WIPER MALWARE ATTACK?
Once a wiper infects your organization’s systems, there is very little you can do to rectify the situation and the loss of data can turn out to be devastating. So, the only way to mitigate the risk is by making sure it doesn’t get a chance to breach your perimeter in the first place.
So, here are a few preventive measures you can put in place to keep your business safe from this dangerous threat.
- Wiper malware effectively destroys data as soon as it is activated, rendering an EDR response useless. For this reason, it is essential to focus on prevention rather than response. So, implement proactive cyber security solutions with strong predictive capabilities.
- Keep your networks segmented and make sure only a select few have access to crucial data. Conduct periodic network security testing to detect any weaknesses and fix them before they can be exploited.
- Create regular backups of all your important data and make sure these backups are stored in another secure location, preferably offsite.
- Keep the security framework of all your systems and entire IT infrastructure airtight at all times. Continuously test and upgrade your response, recovery, and business continuity plans.
Now that you fully understand the kind of damage wiper malware can do to an organization’s business and everyday operations, it is time to become proactive in your security measures. Keep your security framework up to date and ready to tackle all kinds of challenges.