What is Wiper Malware?

A wiper is malware that deletes or destroys an organization’s access to files and data. This type of malware is commonly used as a tool for destruction and disruption since the loss of critical information could make it impossible for an organization to maintain business operations or carry out certain actions.

Read the Security Report Request a Demo

The Surge in the Use of Wipers in 2022

Wipers were not a frequently used type of malware because they don’t provide an opportunity for an attacker to make a profit. Their main purpose is to cause disruption and destruction, making them a more common tool for nation-state actors and hacktivists.

In 2022, the use of wipers surged dramatically. During the Russian invasion of Ukraine, numerous wipers were used to disrupt the Ukrainian government, critical infrastructure, and business. Over the course of the year, at least nine wipers were deployed against the country

These attacks demonstrate the increased usage of destructive malware as a tool for cyberwarfare. In the past, Ukraine has suffered multiple attacks against its critical infrastructure by the Industroyer malware. However, the eve of the Russian invasion showed a dramatic uptick with three new malware variants — HermeticWiper, HermeticWizard, and HermeticRansom — deployed within a single day.

How Does a Wiper Work?

A wiper’s purpose is to render data inaccessible and unusable. However, unlike ransomware, the intent is not to restore access after a ransom has been paid. Wiper destroys data forever, and this can be accomplished in a couple of ways: The contents of the files can be encrypted or overwritten, or the attacker could render them impossible to access by attacking the operating system itself.

The Reasons for Using Wipers

Wipers don’t make attackers money, which is the most common motive for cyberattacks. Some of the reasons why an attacker may choose to use the destructive power of a wiper include:

  • Sabotage: If wiper destroys vital data or corrupts important software, an organization may be unable to continue business operations.
  • Destruction of Evidence: Wipers may be used to destroy evidence of a cyberattack, espionage, or other activities by the attacker that they do not wish to become known.
  • Cyberwar: Multiple wiper variants have been deployed against Ukrainian organizations during its conflict with Russia, demonstrating that this type of malware is increasingly used as a tool for disruption during wartime.

Wiper Techniques

Wipers are designed to destroy data in a few different ways, including the following:

  • Overwriting Files: One of the most common methods of wiping files is to overwrite them with other data. For example, a file’s contents may be replaced with NULL (0x00) bytes or a random assortment of 1s and 0s.
  • Encrypting Files: Wipers can imitate ransomware by encrypting files and destroying the original versions. However, wipers will destroy the decryption key, making it infeasible to decrypt the data and retrieve the contents even if the victim pays the ransom.
  • MBR Corruption: The Master Boot Record (MBR) tells the computer how to boot, so corrupting or overwriting it renders a system unbootable. However, all of the computer’s files remain on the disk and can be recovered after the initial disruption.
  • MFT Corruption: The Master File Table (MFT) is an index of where every file on the computer is stored within its memory. Like the MBR, corrupting the MFT renders files inaccessible, but they can still be recovered if they remain on the disk.

How to Protect Against Wipers

Organizations can take various steps to protect themselves against the data loss caused by wipers. Some best practices include the following:

  • Data Backups: Wipers are designed to destroy an organization’s data, causing disruption. If the organization has another copy, then the long-term impacts of the attack are minimized because the data can be restored from backups.
  • Employee Training: Wipers and other types of malware are often delivered via phishing attacks. Cyberawareness training can help employees to identify and respond appropriately to attempted wiper infections.
  • Email Security: Email is one of the most common delivery vectors for phishing content. Email security solutions can identify and block messages that contain malicious attachments or links to sites that deliver malware.
  • Patch Management: Wipers may also gain access to corporate systems by taking advantage of unpatched vulnerabilities. Promptly installing updates and patches can help to close these gaps before they can be exploited by an attacker.
  • Account Security: Cybercriminals may also use compromised credentials to remotely access employees’ accounts and plant malware directly. Implementing multi-factor authentication (MFA) and zero trust security principles can reduce the risk of a successful attack.
  • Endpoint Security: Malware such as wipers can be detected and prevented by endpoint security solutions. Additionally, these solutions may be able to assist in mitigating and remediating an active infection.

Wiper Malware Detection and Prevention with Check Point

The first step to protecting your organization against malware and other cyber threats is understanding the current threat landscape. To learn more about modern wipers and other major cybersecurity challenges of 2023, check out Check Point’s 2023 Cyber Security Report.

Check Point Harmony Endpoint provides robust protection against wipers and other malware threats. Learn more about its capabilities by signing up for a free demo today.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK