Russian cyberattackers likely infiltrated Ukrainian critical systems through a series of cyberattacks, according to U.S. intelligence.
According to Microsoft Threat Intelligence Center, these cyberattacks began on January 13 and leveraged malware with a Master Boot Record (MBR) wiper, which destroys the data in the first sector of a hard disk and its associated files. Although this isn’t a common tactic for most ransomware operators, we’ve seen it before in campaigns such as NotPetya and Flame.
As tensions flare between Russia and Ukraine, the term wiperware or pseudo ransomware may pop up. Let’s break down what this means.
What is Wiperware/Pseudo Ransomware, and How Does It Work?
The goal of pseudo ransomware, also referred to as wiperware, is to destroy the victim’s systems rather than offer the opportunity to decrypt them. This form of cyberattack is often geopolitical in nature and differs from the majority of today’s financially motivated ransomware actors that use tactics like double extortion to obtain ransom.
When the attacker is wiping a machine, there is only one goal in mind: to make it as difficult as possible to recover data from the infected machines. The attackers must not only ensure that they can erase data from all useful drives but do so while their own attack persists on the host until completion.
In the case of the recent cyberattacks on Ukraine, the attackers maintained an open ping until they deleted all potentially useful files on the host with a final clean-up step. The messages presented by wiperware tend to act as delaying mechanisms for recovery investigations as the impact is determined.
In the 2017 NotPetya attack, the message indicated a method of communication via email, like this new variant that uses peer-to-peer Tox. The most significant change since NotPetya has been the masquerade as ransomware, which slows down an investigation to determine if data can be recovered when it is actually deleted.
In both situations, recovery is not generally possible. While this data may be recoverable by an incident response team on a case-by-case basis, it would require significant effort and cost per machine to do so.
What’s the Difference Between Pseudo Ransomware and Ransomware?
The major difference between pseudo ransomware and traditional ransomware is its motive. Wiperware is only ransomware in that it masquerades as such when performing a campaign against a specific target. Ransomware and pseudo ransomware do use the same mechanisms to download and deploy their functionality against the impacted hosts, such as PowerShell, wscript, and registry modifications.
Ransomware, especially ransomware-as-a-service, often has a component of “customer service” to allow for bounty payment and recovery of data and must be built to allow this behavior by the victim. Pseudo ransomware attackers, on the other hand, must craft their attacks in a way that allows for maximum success in data destruction, rather than trying to encrypt as much as possible while still allowing access for future decryption.
Wiperware Campaigns In the Wild
Generally, wipers are only used in specific and targeted campaigns. One of the earliest publicly known attacks was against Iranian oil companies and other targets in the Middle East in 2012, which was attributed to the now-infamous Equation Group. Equation Group was hacked in 2016, which resulted in the WannaCry ransomware and NotPetya wiperware attack through the EternalBlue exploit. There were multiple uses of wipers in attacks against Saudi Arabian targets in 2012 and 2016 using Rawdisk, a commercially available tool, which North Korea’s Lazarus Group also used in attacks against South Korea and Sony to release the movie The Interview.
The main reason that these pseudo ransomware/wiper attacks are not generally publicized is because they are largely geopolitical in focus. These are governments attempting to impact infrastructure or nationalized institutions within another entity that is identified as the target. Flame was likely launched by U.S. affiliates in 2012 against Middle East assets, whereas NotPetya and these new attacks appear to be Russian in nature against Ukrainian assets. Like the latest pseudo ransomware campaign, modern wipers appear to be less concerned about existing evidence. In contrast, Flame was quite good at removing all evidence of its impact on the victim’s host.
Hacking against commercial targets that are not nationalized is usually done to extract data or access, which will result in profits for the attacker. This is often done in large campaigns, such as the 2021 Kaseya ransomware attack, where access was leveraged into a wide ransomware attack against a large number of organizations.
How To Protect Yourself Against Wiperware
Just like with traditional ransomware, organizations can protect themselves against pseudo ransomware by understanding their attack surface and reducing exposure with a defense-in-depth strategy. In the end, these attacks are no different from other modern attacks against infrastructure; they must land on the machine, exploit, and run their own processes to perform the desired action — in this case, wiping the machine.
A threat detection and response platform that ties to known attacker techniques such as the MITRE framework is a crucial component of this strategy. In Trellix’s report, there were several techniques that the threat actors used to execute the attack — including malicious PowerShell usage, disabling firewalls and modifying registry settings. Utilizing tools to gain and expand visibility into your environments, such as Sysmon, is paramount when these types of campaigns strike.
Robust EDR software, along with a centralized logging platform such as a security information and event management (SIEM) platform, should detect these behaviors. To prevent damage, it’s especially important to detect the early stages of an attack — discovery, gaining a foothold, and escalating privileges.