The latest intel on wipers

The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks. Does the evidence corroborate the theory that the ongoing conflict in Europe is to blame for the rise in wipers? Indeed. Furthermore, given that Russia is the main source of wiper activity, one can anticipate an increase in the use of wipers against countries and organizations that provide aid, weapons or other logistical support to Ukraine.

While both ransomware and wipers increased in the second half of 2022, FortiGuard Labs research found it was wipers that really took off. And this trend shows no sign of slowing, which means defenders must take action and prepare now as if they will be targeted.

Major wipe-out in the second half of 2022

Destructive APT-like wiper malware spread wide in 2022. Data analysis demonstrates a pattern of bad actors persistently deploying destructive attack methods against their targets. It also demonstrates, because the internet has no physical boundaries, how quickly cyber attackers are able to adopt and scale these kinds of attacks—which have been made possible in large part by the Cybercrime-as-a-Service (CaaS) paradigm.

Wipers have been around since 2012 and got their name from the goal of the malware: to “wipe” the victim’s computer files. Up until 2022, wiper activity was few and far between, with maybe one to two new samples cropping up per year. But between the first and second half of 2022, wiper volume saw a substantial increase in volume, and the year ended with a clearly higher uptick. An intriguing distinction in the first half of 2022 was that numerous organizations publicly linked most of the detected wipers—CaddyWiper, WhisperGate, HermeticWiper, etc.—to Russian state-sponsored actors.

Furthermore, in the second half, additional identified wipers were either attributed to pro-Russian hacktivist organizations like Somnia or to people who were motivated by this trend to develop their own wipers. That’s a very important shift to note, as it opens the door to more families, actors and cybercrime in general.

The expansion of wiper malware into other nations later in the year caused a 53% rise in wiper activity from Q3 to Q4 alone. While part of this activity may have been made possible by wiper software, which was initially created and propagated by nation-state actors in the context of the war, it is now being adopted by cybercriminal organizations and is moving outside of Europe.

Given the magnitude of activity seen at the end of last year, the trajectory of wiper malware does not look to be slowing down anytime soon. And that means that any company could be a potential target.

The growth of wipers

Already this year, wiper malware has become more and more prevalent, which is troubling. A bigger worry is that wiperware will become increasingly commoditized and become even more easily accessible to cybercriminals via CaaS. One of the major new concerns the security community as a whole is experiencing is the use of wipers in conjunction with other attack vectors. Wipers have the potential to devastate IT networks in both the public and private sectors around the world. And because they have been commoditized, wipers can massively damage networks.

Avoiding a wipe out 

The cybersecurity community is always looking for the next shiny object that might aid in the fight against ransomware and wipers. Investment up front for mitigation of wipers is increasingly important, as initial damage can be exponentially costly for recovery. And it’s really tried-and-true tactics like these that win the day:

• Proactive defense: it’s much easier to address threats before they infiltrate your network. Use an AI-based tool to detect targeted attacks, which reproduces the human-centric investigation that would otherwise force enterprises to play catch-up. Such solutions simplify complexity, accelerate detection, and create an organization-wide response to cyberattacks.
• Off-network backups: Having backups on hand is the best defense against the effects of ransomware and wiper viruses. You must keep backups off-network because malware frequently actively looks for device backups on the computer (like Windows Shadow Copy) or the network to delete. You need to have a board-level conversation about risk. That’s what this is really about: with wipers, risk and collateral damage are elevated.
• Network segmentation: Proper segmentation can be beneficial in several ways. For instance, it can restrict an attack’s effects to a certain area of the network. Moreover, firewalls, anti-virus software and intrusion prevention systems can identify communications to well-known command and control servers—harmful files traveling across the network and malware itself.
• Incident response: The success or failure of an attack can greatly depend on the effectiveness and quickness of incident response. How the incident response team handles and reacts to the alert when a compromise is discovered—before wiper malware is installed—could make the difference between successfully preventing data loss and total data destruction.

Keep looking out for danger

Cybercriminals never pass up an opportunity. Threats are always increasing, whether it’s a vulnerability, an attack or a global conflict. Constantly keeping an eye on emerging trends like wiper malware use will help you anticipate what’s coming and prioritize your resources for critical strategies you can implement to improve your cybersecurity posture, ensuring there are no gaps in your defense. This will improve your business’s ability to function even in the case of an unanticipated attack.

Learn more about latest cyber threat trends in the semiannual Global Threat Landscape Report from FortiGuard Labs.