Wiper malware deployments are rising in 2022, a trend that reveals a disturbing evolution of more destructive and sophisticated attacks. The term “wiper” refers to the malware’s most fundamental operation, which is to wipe (erase) the victim’s computer’s data (disk data, operating system, or even firmware) . Wiper malware is more broadly referred to as malicious software that seeks to delete data.


These are heavy-hitting attacks in terms of the damage they can cause, which is why staying on top of such developments is vital. With the right know-how and the right tools, security teams can ensure they’re bolstered for this battle. 


Wiper malware on the rise, fueled by the Russian-Ukraine war


Threat actors have used disk-wiping malware to target vital infrastructure much more frequently as a result of the war in Ukraine. In the first half of 2022, FortiGuard Labs identified at least seven significant new wiper variants that were being deployed in several campaigns against governmental, military and commercial institutions. The fact that this figure is so close to the total number of wiper variants that have been discovered since 2012 makes it relevant and worrisome.


Many in the security community believe organizations supporting Russian military objectives were behind many of the wiper assaults in Ukraine during the first half of 2022, though they haven’t always been able to validate this with certainty. CaddyWiper is one example, a variation that was used shortly after the war started to erase data and partition information from drives on systems belonging to a small number of Ukrainian organizations.


Additional wiper iterations include IsaacWiper, a malware tool for overwriting data in disk drives and attached storage to render them unusable; WhisperGate, a wiper that Microsoft found was being used in attacks against Ukrainian entities in January 2022; and HermeticWiper, a tool for inducing boot failures that SentinelLabs discovered being used in similar attacks. WhisperKill, DoubleZero and AcidRain were the other three wipers that we saw in the first half of 2022 aimed at Ukrainian businesses and infrastructure.


The implications of wiper malware


It was surprising to see the number of such attacks that also spread to other nations, as has happened in the past when there has been violence in the region. Since the conflict started in February 2022, we have found more wiper malware abroad than within Ukraine. During the first half of this year, wiper activity was discovered in 24 nations besides Ukraine.


AcidRain is one such instance a wiper that was intended to target a Ukrainian satellite broadband service provider but also wound up being used in an attack that took about 6,000 wind turbines in Germany offline. Attacks like these show the ability to cross boundaries, whether they be geographical or IT/OT-related.


The unexpected surge in wiper malware is problematic for IT security teams. Although there haven’t been many detections so far, the malware’s characteristics and how threat actors deploy it makes this category especially dangerous, so security teams must be on the lookout for it.


Four best practices to combat the threat 


Organizations can and should employ a number of best practices to lessen the effects of wiper malware:


·        Segmentation: Effective network segmentation is helpful in several ways. For instance, it can restrict an attack’s effects to a certain area of the network. Additionally, firewalls can identify communications to known command and control servers, the movement of harmful files throughout the network, and the spread of malware when used in conjunction with anti-virus and intrusion prevention systems.

·        Backup: Having backups available is the best defense against ransomware and wiper viruses. Malware frequently actively hunts for backups on the system or on the network (for example, Windows Shadow Copy) so it can wipe them. To withstand sophisticated attacks, backups must be kept offline and off-site. While discussing backups, it is necessary to note that their existence is crucial, but so is a thorough recovery process. Additionally, to reduce downtime, the IT team must periodically practice recovery from backup. 

·        NDR: To minimize the impact of wiper attacks, network detection and response (NDR) with self-learning artificial intelligence (AI) is helpful to better detect intrusions.

·        Incident Response and Pen Testing Drills: The effectiveness of the incident response, both in terms of speed and quality, can have a significant impact on how the attack turns out. How the incident response team handles and reacts to the attack could make the difference between successfully preventing data loss and total data erasure in case penetration is discovered before wiper malware is deployed. One should conduct regular exercises to understand the capabilities of responding to these incidents. How quickly can teams recover? Are there any pain points? 

·        Disaster recovery plan: How well is the organization prepared for what happens after a wiper is deployed in the network? What procedures have been established for business continuity without IT? How will the organization restore data from backups and tell customers and the public about the incident? All of these tactics need to be determined before an attack. A disaster recovery plan, which will be useful under the tremendous pressure of an active compromise, should specify all of this and more.


Fighting crime without borders


We saw a surge of wipers being deployed in the first half of 2022 in parallel with the Russia-Ukraine war. But those wipers aren’t staying in one place. They’re proliferating around the world because there are truly no borders when it comes to cybercriminal activity. That means you need to stay updated with ongoing threat intelligence and follow best practices such as those outlined above. These will help prevent the disaster of a wiped hard drive.