Wiper Malware: The Nastiest Cyberthreat in Town 

October 21, 2022

Bad actors have many types of malware available in their cybercrime tool kit, with new strains added every day. An estimated 300,000 thousand new pieces of malware are trafficked on the dark web every day. Malware as a service (MaaS) and its offshoot Ransomware-as-a-Service (RaaS) is a business model that makes it easy for bad actors to buy or pay to use all types of malware for conducting cybercrime, and that includes some pretty nasty strains. Wiper malware is a dangerous and devastating type of computer virus that bad actors employ to damage businesses, institutions, utility companies, military targets and other major objectives.  


AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>


What is a wiper attack, and why is it lethal? 


Wiper malware is savage and absolute. Once wiper malware is introduced into a company’s environment, it spreads rapidly and deletes everything in its path, completely wiping out the data it touches. The most straightforward way to wipe out data from a system is to overwrite the data in a specific physical location with other data. This process is arduous for cybercriminals as they have to write several gigabytes or terabytes of data, but it is devastatingly effective. Generally, wiper malware lethally damages two specific parts of a company’s environment on its path to erasing data. 

  • The first is the Master Boot Record (MBR), which identifies the operating system’s location during the boot process. If the cybercriminals succeed in destroying the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used. This strike on its own does not cause data loss. It does sow chaos, making it hard to mount a fast incident response and limit damage.  
  • The next one is the Master File Table (MFT), which is exclusive to NTFS file systems, containing the physical location of files in the drive, their logical and physical size, and other related metadata. As many big files cannot use consecutive blocks in the hard drive, they are fragmented to accommodate the storage of large files. The MFT comes in handy here, as it stores the information of where each fragment is present in the drive. If the cybercriminals get hold of your MFT, the system administrators can still access your small files using forensic tools but accessing large files is practically impossible since the link between fragments is lost. 

Get the guide that helps you detect dangerous BEC attacks & keep your company out of trouble. DOWNLOAD>>


Wiper malware is a scorched-earth tactic


In the age of cyber warfare, wiper malware is a tool that nation-state-aligned bad actors regularly employ. In early 2022, a joint Cybersecurity Advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) called attention to wiper malware attacks being used by pro-Russia operatives in the conflict between Russia and Ukraine. The advisory provided information on WhisperGate and HermeticWiper malware, strains that were being deployed with the intent to cripple Ukrainian entities, mainly financial institutions and government organizations. 

There’s also the option for nation-state-aligned bad actors to use wiper malware to harm large events. In 2018, a strain of wiper malware called Olympic Destroyer was deployed with the aim of disrupting the Winter Olympics hosted by South Korea that year. Non-nation-state threat actors with other objectives utilize wiper malware too. Some cybercriminals might use wiper malware to destroy data like evidence in court cases or research findings. Sometimes wiper malware is also used in sabotage operations against businesses. However, wiper malware isn’t as commonly used by your average cybercriminal against commercial targets because it destroys data that could be sold or ransomed for a profit.  


Are you ready to stop ransomware? Find out with our 5 Steps to Ransomware Readiness infographic! GET IT>>


 Nation-state threat actors employ wiper malware


The legendary NotPetya malware that rocked the world in 2017 is a great example of the complex nature of wiper malware. On the surface, NotPetya delivered all of the expected hallmarks of a ransomware attack including a screen prompting the victim to contact the cybercriminals and pay a ransom. But that wouldn’t help the victim. While all of this was going on, NotPetya was wiping out data. NotPetya is believed to have been developed and used by Russian nation-state threat actors. Today, since the ongoing conflict with Ukraine kicked off, Russian cyber groups have used at least seven types of wiper malware to cripple several critical Ukrainian organizations including these examples: 

  • AcidRain: It is the most recent wiper, a part of a significant supply chain attack aimed at crippling Viasat’s satellite internet service. In its official statement, Viasat confirmed a wiper attack against its KA-SAT network, which overwrote critical data in their internal memory, rendering tens of thousands of modems across Europe inoperable. The severity of the attacks was such that it even impacted modem service in France and Italy and paralyzed wind turbines in Germany, according to several published reports. 
  • WhisperGate: Deceptively designed to look like ransomware, WhisperGate is a wiper that attacked the MBR of 22 Ukrainian government agency websites. Since the cybercriminals attacked the MBR of these agencies, their systems were unbootable after the system was powered down. When booted up, the systems displayed a ransom note, asking the concerned agencies to pay to recover the data. However, the intention of the cybercriminals was never to give back the data, as WhisperGate malware destroys data, not encrypts it. 

                                       A sample ransom note:   

                                                                     Source: AT&T 

  • CaddyWiper: Third on the list of a barrage of data-wiping cyberattacks, CaddyWiper destroyed user data and partition information from attached drives on several dozen systems in a number of government organizations. 
  • HermeticWiper: The HermeticWiper attack came just hours after a series of DDoS attacks that knocked down hundreds of Ukrainian systems. It disabled the Volume Shadow Copy Service (VSS) and wiped itself from the disk by overwriting its own file with random bytes. Besides, the HermeticWiper fragmented drives, making data recovery complicated since files were scattered throughout the drive in small parts — without any guidance regarding where each element is located. 
  • IsaacWiper: A less sophisticated wiper than its other counterparts, IsaacWiper identified all the physical drives not containing the operating system and locked their logical partitions by only allowing a single thread to access each. Subsequently, it started to write random data into the drives in chunks of 64 KB to erase the existing data. 

Learn how to add more hands to your security team without adding to your headcount. FREE EBOOK>>


Put a powerful guardian between businesses and malware


Just because wiper malware attacks are commonly used by state-aligned bad actors, that doesn’t mean that businesses are safe. In fact, an estimated 90% of Advanced Persistent Threat Groups (APTs) regularly attack organizations outside of the government or critical infrastructure sectors.  Organizations should prepare themselves for the worst before a wiper attack erases their critical data and files. The most likely way for an organization to encounter malware is through a malicious email message. With the growing volumes of emails in business conversations, cybercriminals primarily target organizations’ email channels to launch sophisticated malware-laden phishing cyberattacks. In fact, 80% of reported security incidents are phishing-related, which highlights the importance of robust email security. 

Graphus is the world’s first AI-driven email security solution that stands tall amid today’s never-ending barrage of cyberattacks, automatically protecting organizations from falling into the traps of cybercriminal.  Graphus automatically monitors communication patterns between people, devices and networks to reveal untrustworthy emails, making it a simple, powerful, and cost-effective automated phishing defense solution for companies of all sizes. 

What can Graphus do for you?

  • Block 99.9% of sophisticated phishing messages before they reach an employee inbox.      
  • Put 3 layers of protection between employees and dangerous email messages.  
  • Save tech time and money by requiring minimal supervision with no need for threat intelligence uploads or fussy configurations.
  • Get to work in minutes, seamlessly deploying to Microsoft 365 and Google Workspace via API without big downloads or lengthy installs.  
  • Provide intuitive administration and precise reporting to help you gain insights into the effectiveness of your security, level of risks, attack types and more.  

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus