Understanding cyber threat landscape illustrating wiper malware behavior.
(Reading time: 5 - 9 minutes)
fab fa-facebook-f

Ransomware attacks are known to cause severe financial damage by denying access to important data. They’re rightly considered one of the most devastating varieties of cyberattack. With ransomware, there is at least the possibility of retrieving compromised files, but that’s never the case with wiper malware.

Wipers are a class of malware used for purely offensive purposes, often by government or other politically motivated threat actors. As their name suggests, they completely wipe out and erase files, so they’re no good for stealing data or money. Email malware payload delivery cartoon warnings on computer screen

Deployments of wiper malware rose significantly in 2022, but their history goes back over a decade further. In that time, wiper attacks have evolved to be even more sophisticated and destructive. This article will discuss different types of wiper malware and how your business can prepare for them.

What Is Wiper Malware?

Wiper malware, sometimes referred to as pseudo-ransomware or wiperware, is similar to ransomware in that both attacks involve making files and data inaccessible to the victim. However, unlike ransomware, wiper malware causes permanent loss. Without the possibility of extorting victims for access to their files, wiper malware attacks are not usually motivated by financial gain. It can be used by threat actors to cover their tracks after exfiltrating information from a network, or simply to wreak havoc.

Wiper malware attacks date back to the Middle East in 2012 and later to South Korea in 2013. The first US company to be attacked was Sony Pictures Entertainment in 2014, prompting the FBI to issue an emergency flash alert.

Some infamous examples of wiper malware attacks include:

  • NotPetya, 2017: Used by Russian-backed Sandworm hackers to target Ukrainian organizations and also caused losses for international businesses.
  • AcidRain, 2022: Attacked Viasat's KA-SAT satellite service provider. It caused communication outages in Ukraine, malfunctions in 58,000 German wind turbines, and other business disruptions across Europe.
  • BiBi, Hamsa, Hatef, BFG Agonizer, 2023: Iranian-sponsored groups deployed a new style of recursive file-level wipers to disrupt Israeli and U.S. organizations.
  • Lotus Wiper, 2025: Attacked Venezuelan energy and utility organizations, deleting critical data and disrupting systems.

Most Damaging Malware Incident in History

The financial losses from NotPetya in 2017 were estimated at $10 billion.

There was a surge in wiper deployments in the first half of 2022, coinciding with the start of the Russia-Ukraine war, and again in 2023 following the Gaza war. In these ongoing hostilities, state-aligned hackers are harnessing the destructive power of wiperware to take commercial and government infrastructure offline. With each new cycle of international conflict, threat actors will continue to develop more efficient wipers. Then, when weaponized malware proliferates beyond their original targets, the consequences are truly global.

The Difference Between Wiper Malware and Ransomware

The difference between wiper malware and ransomware is its motive, as they both use the same mechanisms to download and deploy their functionality against hosts. Wiperware is essentially ransomware that masquerades as such when performing a campaign against a specific target. Ransomware often has an element of “customer service” to enable payments and recovery of data. On the other hand, pseudo-ransomware attackers formulate their attacks for maximum data destruction, rather than encrypting as much data as possible while still having access to future decryption.

How To Protect Against Wiper Malware Attacks

Organizations can protect themselves against pseudo-ransomware the same way they can with traditional ransomware - by understanding their attack surface and implementing a strategy that relies upon defense in depth. Just like other modern attacks, wiperware must infiltrate the device, usually through email malware, and exploit and run its own process to wipe the machine. 

The consequences of a successful attack can be extreme. Luckily, there are things you can do to protect your business and customers. Some best practices to keep your business secure include:

  • Implement multi-factor authentication (MFA): MFA is a type of security technology that requires multiple pieces of authentication to confirm a user’s identity for logins and other transactions. MFA works by combining the user’s credentials to confirm the user logging into the account is the owner.
  • Use a malicious link checker: Inspect URLs before delivery to avoid malware payloads.
  • Back up your systems and data: Backing up your systems and data can provide you with a failsafe after an attack and can even help you avoid having to pay a ransom.
  • Segregate networks: both you and your customers should segment networks and systems as much as possible. One example of this is to never use admin credentials across multiple customers or systems.
  • Train staff: provide proper training to avoid opening email attachments or following suspicious links. Encourage effective communication and ensure they know how to respond in the event of an attack.
  • Map your supply chain risks: understand the cybersecurity risks within your supply chain and identify which customers or suppliers are most vulnerable to being compromised.
  • Develop incident response plans: Ensure that you have a comprehensive incident response plan in place, so your organization is prepared to respond quickly if an attacker successfully compromises your systems or application. Regular cybersecurity audits help validate response plans and identify gaps before an incident. 
  • Email Security Protection: The vast majority of all cyber threats originate with an email. To secure your email, use multi-layered protection accompanied by expert, ongoing system monitoring, maintenance, and support. Dynamic, AI-driven email security platforms can analyze file behavior in real-time to keep cyberattacks from exploiting vulnerabilities.
  • Regularly patch software: Maintain good cyber hygiene by updating software. This habit keeps vulnerabilities from becoming exploits.

The Cost of An Attack

Wiper malware is one of the most damaging attacks that hackers employ on an organization’s IT systems, and leads to massive losses of valuable data and information. Attacks on IT systems could cause even greater damage if industrial systems and equipment are disrupted. This would include transportation systems or energy grids that could endanger lives. Ransomware financial losses

Some types of wiper malware are designed with the ability to worm through a compromised network by spreading copies of itself onto every connected device without requiring human interaction. These variants are particularly difficult to contain, so endpoint security is necessary to prevent a rapid wiperware infection.

An example of this can be seen in the NotPetya attack back in 2017, after researchers noticed wiper malware infiltrating the networks of Ukrainian organizations. NotPetya had masqueraded as ransomware by demanding “ransom” fees from users. It was able to worm across different systems due to a vulnerability in the Windows system, so NotPetya was able to spread outside of its original targets and eventually crippled some of the largest corporations worldwide.

There are two main mechanisms that wiper malware employs:

  • Overwriting system components, such as the Master Boot Record (MBR) or the Master File Table (MFT). The MBR is used during the boot process to identify where the Operating System is stored on the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used. The MFT is exclusive to NTFS file systems and contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored on the drive and cannot use consecutive blocks, these files will have to be fragmented on the disk. The MFT holds the information about where each fragment is stored. Removing the MFT will essentially prevent the recovery of fragmented files, as the link between fragments is lost.
  • Overwriting or encrypting files, along with any backups found on the computer, to permanently delete the victim’s data and information. 

Malicious actors will typically combine these two approaches to cause the most damage in the shortest time possible.

Wiper Malware FAQ

Wiper malware is built to destroy data, not hold it for payment. That changes the response. Evidence disappears faster, and if containment doesn't kick in immediately, all operating files could be lost. Review these questions so you know what to do.

What are the most common signs of wiper malware?

The signs usually look like sudden failure. Systems will not boot. Files vanish or become unreadable. Drives throw errors. Logs disappear. Users may report that folders were normal minutes ago and then everything stopped working.

How does wiper malware spread across an entire network?

It spreads by abusing admin tools and finding shared systems. Access may come from phishing, stolen credentials, exposed remote access, a compromised vendor, or an unpatched system. If wiper malware gets that access, the damage can quickly jump from one machine to another. Importantly, backup files are not safe unless they are offline, immutable, and regularly tested.

Does antivirus software stop wiper malware?

Antivirus can stop known malware variants, but it can’t be relied on alone. New wiper malware variants are always emerging. The other problem is that many attacks don’t look like a normal malware file. Stolen credentials, legitimate Windows tools, or living-off-the-land activity can bypass antivirus defenses. At this point, behavioral monitoring with endpoint security and EDR is more likely to catch the attack.

What should a company do first after a wiper attack?

Isolate affected systems immediately. Disconnect compromised machines from the network to stop shared access before the malware reaches more systems. After that, analyze the damage. Do not rush into rebuilding until the team understands how the attacker got in.

How can employees help prevent wiper malware attacks?

Employees can stop wiper malware attacks with awareness and quick reporting. One phishing email reported early can give the security team enough time to block the message, isolate affected accounts, or cut off the attack before the destructive phase begins. 

Keep Learning About Wiper Malware

Wiper malware is not built for recovery. It is built to break systems, erase data, and leave the victim rebuilding from whatever still exists. As newer variants appear in conflicts and targeted attacks, organizations need to treat destructive malware as a real operational risk, not a rare edge case.

Start with the entry points. Phishing, malicious links, exposed accounts, weak filtering. Strong, multilayered email security reduces the chances that the first message ever reaches the user. Planning, training, and technical solutions all play a role in minimizing access. URL defense adds another layer by inspecting links before they send someone to a credential page, exploit site, or malware download. After that, keep learning. The tactics keep changing, so follow our newsletter for the latest updates on how to stay safe online.

Phishing Is Evolving

Are Your Current Email Defenses Falling Behind?
Get the Guide
Image

Microsoft 365
Email Security:

Ineffective Built-In Protection.
Learn how to close the gaps.
Get the Guide
Image

Subscribe to our Behind the Shield Newsletter

For all the best internet best security trends, email threats and open source security news.

Subscribe to our Behind the Shield Newsletter