Email Security Intelligence - What Is Wiper Malware and Is It Worse Than Ransomware?

Ransomware attacks are considered one of the worst types of cyberattacks because of the severity of the damage they cause. With regular ransomware, there is at least the possibility of retrieving compromised files in many cases.

Deployments of wiper malware rose in 2022, revealing the evolution of more destructive and sophisticated attacks. Unfortunately, compared to wiper malware, the sole purpose is to cause destruction and damage and not to steal data or money. This article will discuss the differences between the attacks, and how your business can prepare for an attack.

What Is Wiper Malware?

Wiper malware, sometimes referred to as pseudo ransomware or wiperware, is similar to ransomware in that both attacks involve making files and data inaccessible to the victim. However, unlike ransomware, wiper malware typically aims for destruction or to cause permanent loss. Wiper malware is usually not motivated by financial gain, experts actually believe that it is mainly used by threat actors as a way to cover their tracks after exfiltrating information from a network or to simply wreak havoc.

Wiper malware attacks date back to the Middle East in 2012 and later to South Korea in 2013, however it wasn’t until 2014 that several companies were paralyzed by it. The first US company to be attacked was Sony Pictures Entertainment in 2014 along with several other malware attacks that targeted the country, prompting the FBI to issue an emergency flash alert.

Some infamous examples of wiper malware attacks include:

• Shamoon, 2012: Used to attack Saudi Aramco and Qatar's RasGas oil companies.
• Dark Seoul, 2013: Attacked South Korean media and financial companies.
• Shamoon, 2016: Returned to again attack Saud Arabian organizations.
• NotPetya, 2017: Originally targeted Ukrainian organizations, but due to its self-propagation capability, it became the most devastating malware to date.
• Olympic Destroyer, 2018: Attack targeted against the Winter Olympics in South Korea.
• Ordinypt/GermanWiper, 2019: Targeted German organizations with phishing emails in German.
• Dustman, 2019: Iranian state-sponsored threat actors attacked Bapco, Bahrain's national oil company.
• ZeroCleare, 2020: Attacked energy companies in the Middle East.
• WhisperKill, 2022: Attacked Ukrainian organizations in the Ukraine-Russia war.
• WhisperGate, 2022: Attacked Ukrainian organizations in the Ukraine-Russia war.
• HermeticWiper, 2022: Attacked Ukrainian organizations in the Ukraine-Russia war.
• IsaacWiper, 2022: Attacked Ukrainian organizations in the Ukraine-Russia war.
• CaddyWiper, 2022: Attacked Ukrainian organizations in the Ukraine-Russia war.
• DoupleZero, 2022: Attacked Ukrainian organizations in the Ukraine-Russia war.
• AcidRain, 2022: Attacked Viasat's KA-SAT satellite service provider.

As shown above, there was a surge of wipers deployed in the first half of 2022 in parallel with the Russia-Ukraine war when statistics show there was one attack per year on average. Experts have found that wiper malware variants being used in the conflict between Russia and Ukraine are likely so that attackers can keep their access inside the targeted organization while still disrupting organizations.

The Difference Between Wiper Malware and Ransomware And How To Protect Against Attacks

The difference between wiper malware and ransomware is its motive, as they both use the same mechanisms to download and deploy their functionality against hosts. Wiperware is essentially ransomware that masquerades as such when performing a campaign against a specific target. Ransomware often has an element of “customer service” to enable payments and recovery of data. On the other hand, pseudo-ransomware attackers formulate their attacks for maximum data destruction, rather than encrypting as much data as possible while still having access to future decryption. 

Organizations can protect themselves against pseudo-ransomware the same way they can with traditional ransomware - by understanding their attack surface and implementing a strategy that relies upon defense in depth. Just like other modern attacks, wiperware must infiltrate the device, and exploit and run its own process to wipe the machine.

The consequences of a successful attack can be extreme. Luckily there are things you can do to protect your business and customers. Some best practices to keep your business secure include:

• Implement multi-factor authentication (MFA): MFA is a type of security technology that requires multiple pieces of authentication to confirm a user’s identity for logins and other transactions. MFA works by combining the user’s credentials to confirm the user logging into the account is the owner.
• Back up your systems and data: backing up your systems and data can provide you with a failsafe after an attack and can even help you avoid having to pay a ransom.
• Segregate networks: both you and your customers should segment networks and systems as much as possible. One example of this is to never use admin credentials across multiple customers or systems.
• Train staff: properly train staff, encourage effective communication, and ensure they know how to respond in the event of an attack.
• Develop incident response plans: Ensure that you have a comprehensive incident response plan in place, so your organization is prepared to respond quickly if an attacker successfully compromises your systems or application.
• Regularly patch software: patching or updating software keeps from vulnerabilities being created that attackers can exploit.
• Map your supply chain risks: understand your supply chain risks and identify who among your customers or suppliers could pose a risk. 
• Implement Multi-Layered Email Security Protection: The vast majority of all cyber threats originate with an email. Implementing multi-layered email protection accompanied by expert, ongoing system monitoring, maintenance, and support will secure email by dynamically analyzing behavior, URLs, and files to keep cyberattacks from exploiting vulnerabilities. 

The Cost of An Attack

Wiper malware is one of the most damaging attacks that hackers employ on an organization’s IT systems, and leads to massive losses of valuable data and information. Attacks on IT systems could cause even greater damage if industrial systems and equipment are disrupted. This would include transportation systems or energy grids that could endanger lives.

Some types of wiper malware are designed with the ability to worm through a compromised network by spreading copies of itself onto every connected device without requiring human interaction. These variants are particularly dangerous, as they are extremely difficult to contain.

An example of this can be seen in the NotPetya attack back in 2017 after researchers noticed wiper malware infiltrating the networks of Ukrainian organizations. NotPetya had masqueraded as ransomware by demanding “ransom” fees from users. It was able to worm across different systems due to a vulnerability in the Windows system, so NotPetya was able to spread outside of its original targets, and eventually crippled some of the largest corporations worldwide. The White House estimated that the total damages from NotPetya in 2017 reached $10 billion, making it the most financially damaging cyber-attack thus far.

There are two main mechanisms that wiper malware employs:

• Overwriting system components, such as the Master Boot Record (MBR) or the Master File Table (MFT). The MBR is used during the boot process to identify where the Operating System is stored on the disk. By replacing the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used. The MFT is exclusive to NTFS file systems and contains the physical location of files in the drive as well as logical and physical size and any associated metadata. If big files need to be stored on the drive, and cannot use consecutive blocks, these files will have to be fragmented on the disk. The MFT holds the information about where each fragment is stored. Removing the MFT will essentially prevent the recovery of fragmented files as the link between fragments is lost.
• Overwriting or encrypting files, along with any backups found on the computer, to permanently delete the victim’s data and information. 

Many malicious actors will typically combine a mix of these two approaches to cause the most amount of damage in the shortest amount of time possible.

Russia Uses Wiper Malware In War Against Ukraine

Researchers have noticed a spike in new wiper malware variants since the beginning of the conflict between Russia and Ukraine in February of this year. Ukrainian security officials have identified several types of wiper malware that hackers have used to attack Ukrainian offices, such as government agencies, banks, and utility companies.

The ongoing surge of attacks has mostly consisted of non-self-propagating wiper malware, appearing to target Ukrainian entities specifically, but the effects of some of these attacks have affected other countries. An example of this is the attack on US satellite communications provider Viasat’s KA-SAT network this past February. The attack resulted in tens of thousands of modems being rendered inoperable by the AcidRain wiper malware. Thousands of Viasat’s customers across Ukraine and Europe had their internet connectivity disrupted by the attack, as well as disrupting the remote monitoring and control of 5,800 wind turbines in Germany.

Keep Learning

The increase of new wiper malware variants seen in the Russia-Ukraine conflict represents a potential cyber threat to organizations worldwide. As hackers continue to release more variants of wiper malware, there is an increased risk of the level of damage they cause.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.