Wiper

A wiper is a malware designed to destroy data and render systems inoperable. Unlike other malware that may steal or encrypt data, wipers aim to permanently delete or corrupt files, making them unrecoverable. Cyber warfare and state-sponsored threat actors often use wipers to sabotage critical infrastructure, disrupt operations, or conduct psychological warfare.

Characteristics

•Targeted and Premeditated—Wiper attacks are carefully planned, often take months to prepare, and typically target specific organizations or infrastructures.

•Destructive Methods—Wipers destroy data by overwriting files with zeros or random data or partially damaging documents, rendering systems non-functional.

•Network-Wide Impact—Some wipers are designed to spread across networks, affecting individual devices and entire organizational networks.

•False Flags—Attackers may leave false indicators to mislead investigators or shift blame to other entities.

•Motivations—The primary motivations behind wiper attacks include destroying evidence, demonstrating power in geopolitical conflicts, and shaking the morale of targeted entities.

Examples

•HermeticWiper—Used in attacks on Ukrainian organizations, part of a broader campaign during the Russian invasion.

•CaddyWiper—Another wiper deployed in Ukraine, targeting various organizations.

•Industroyer2—A sophisticated wiper targeting industrial control systems used in attacks on Ukraine's power grid.

•(Not)Petya—A destructive wiper that affected Ukraine and spread globally, initially disguised as ransomware.

•Olympic Destroyer—Used by the Sandworm Team to disrupt the 2018 Winter Olympics in South Korea.

•Stuxnet—While primarily known for targeting industrial control systems, it caused significant physical damage to centrifuges at Iran's Natanz nuclear facility, delaying its nuclear program.

•Shamoon—Used in 2012 and 2016 against Saudi energy companies, Shamoon overwrote files with symbolic images.

Risk for Small and Medium Businesses (SMBs)

While SMBs are not usually the primary targets of wiper attacks, they can be affected as collateral damage or through supply chain attacks. Managed Service Providers (MSPs) serving larger organizations may also be targeted to gain access to their clients' networks.

Detection and prevention

•Use high-quality cybersecurity software, such as ESET security solutions (ESET Products), to detect and block wiper malware.

•Implement constant network monitoring to identify unusual activities.

•Block unauthorized access to critical systems.

•Have an effective backup and recovery strategy in place, ensuring backups are stored offline or in secure cloud environments.

•If a wiper is detected, immediately shut down affected processes and disconnect the system from the network if it is safe.

Action after infection

Data recovery may be impossible in a wiper infection as the malware is designed to make data unrecoverable. However, isolating the affected system and preventing further spread is crucial. Rebuilding the system from clean backups is often necessary.