Wiper Malware Grows More Malicious
The use of wiper malware—a tool used by nation-states under the guise of ransomware to inflict as much damage as possible and completely disrupt operations—as a malicious attack is not new, but recent changes have made the threat more dangerous.
Unlike ransomware, where financial gain is the primary driver, wipers are purely destructive. Attacks using wipers have been deployed by nation-states for political posturing, to cover attackers’ tracks after cyberespionage attempts and for plain old malicious reasons to cause general damage and havoc.
Wipers have been around since late 2012 and were brought into the media spotlight during the 2014 North Korean attack on Sony Pictures. That attack was in retaliation for Sony’s refusal to heed demands to withdraw “The Interview” movie.
While not as prominent as ransomware and other types of attacks, wipers are a well-used tool in cyberattackers’ arsenals.
Wipers’ Goals: Inflict Maximum Damage
“We have to remember that the main goal of a wiper is to inflict as much damage as possible to disrupt operations,” Deep Instinct’s Director of Cybersecurity Advocacy Chuck Everette explained. “The latest wiper variants now include code to disrupt possible file restoration efforts by attacking backup systems and processes before starting the destructive actions on the local hard disk.
He noted that malicious actors have also made changes to the code that now add a spamming or flooding action to the hard disk.
Now, the code spams the disks with junk data until all free space is filled, adding to the difficulty of any file recovery or restoration actions.
“The key to understanding these is the risk is no longer just to internal networks,” Everette said. “Companies need to protect and monitor their whole environments now. In today’s rapid adoption and expansion to the cloud, digital transformation efforts and remote workforce trends, companies’ attack surface is growing by leaps and bounds.”
He pointed out that no longer is data held securely within companies’ own data centers’ four walls and protected behind their own firewalls, tools and monitoring.
Everette said the digital footprint and attack surface are now considered global in most cases, which means a “prevention-first” mindset is also key—for most of today’s security solutions, attacks need to execute and run before they are identified and checked to see if they are malicious, which sometimes takes as long as 60 seconds or more.
“When dealing with an unknown threat, 60 seconds is too long to wait for analysis,” Everette said. “So, having a firm understanding of where your data and assets are located, implementing good security hygiene best practices and investing in state-of-the-art monitoring and cybersecurity prevention products is critical.”
Lastly, these solutions all need to be in place, configured properly, patched/up-to-date and tested methodically and continuously.
Wiper Malware Evolves to Focus on Speed
Jake Williams, co-founder and CTO at BreachQuest, an incident response specialist, said most recent evolutions in wiper malware focus on speed, particularly for large files.
“One thing we see with many of today’s wipers is the realization that it isn’t necessary to scramble the entire file to make it unusable,” he said. “By surgically scrambling—wiping—portions of a large file, it is rendered completely unreadable.”
He noted that wiper malware is extremely impactful for organizations because it’s effectively ransomware without the possibility of recovering the data through decryption.
“Because the features of the malware are so similar, it’s clear that wiper malware authors are learning lessons from ransomware authors,” Williams said, adding that while organizations are largely not focusing on wiper malware, they really should be.
“The good news is that most of their ransomware response plans can be adapted to account for wiper malware by removing the possibility that they can recover by paying a ransom,” he said.
From the perspective of Simon Aldama, CISSP and principal security advisor at Netenrich, a digital IT and security operations company, organizations consuming threat intelligence as part of maintaining situational cybersecurity awareness are more in tune to the threat wiper-based malware poses to the business.
“On the flip side, organizations with unhygienic cybersecurity practices will be unprepared to restore operations, especially if they’re under the assumption a negotiated ransom will assist in the restoration of unrecoverable data,” he said.
Aldama explained that one major elementary step organizations can take is paying attention to cybersecurity trends affecting similar businesses within the industry.
“Trends are easily identified through news outlets and freely available threat intelligence feeds,” he said. “With this information at hand, tactics and techniques can be noted and mitigations prioritized to reduce the probability of becoming an easy target.”
He predicts that data wiping malware will continue to be integrated into digital weaponry used during campaigns to destroy evidence left behind by threat actors.
“In addition, this type of threat will continue to be used for pure data destruction use cases,” he said. “Regardless of the scenario, organizations need to routinely assess the cyberattack trends affecting their industry and the priorities others have taken to mitigate such threats.”
