Wiper Malware is Today’s Biggest Risk to Data

The cybersecurity landscape is rife with ransomware attacks, and the news is full of stories about organizations falling prey to ransomware gangs daily. Businesses must shell out millions of dollars in ransom money to regain their data when that happens. However, cybercriminals have a more devastating weapon in their arsenal that doesn’t tend to get as much press as ransomware: wiper malware. This awful attack goes beyond ransomware by entirely and thoroughly erasing the victim’s data in its wake, making it a nightmare for companies to recover. But there are preventative measures that businesses and MSPs can take to mitigate their disaster risk.

• Why wiper malware is an existential threat for organizations:

As the name implies, wiper malware’s prime objective is to erase the victim machine’s hard disk and destroy all the data irreversibly. The malware attacks the physical location where the data is stored and deletes it permanently from the systems it traverses. Once this data assassin enters an organization’s environment, it spreads throughout the network quickly and deletes everything in its path, completely wiping out the data and making it unrecoverable. Many cybercriminal gangs use wipers to cover up their traces after an intrusion, weakening their victim’s ability to respond.

Wiper malware leverage many of the typical Tactics, Techniques, and Procedures (TTP) that common ransomware uses, but there is no possibility of recovering the files. Think of them as ransomware attacks without any decryption keys. Wiper malware first gained notoriety in 2012, when Saudi Arabia’s Saudi Aramco and Qatar’s RasGas oil companies were attacked using the Shamoon family of wipers.

Although wipers are sometimes used by bad actors across all sectors, nation-state threat actors have particularly liked this malware. They attack the critical infrastructure of rival nations with wiper malware for a quick, vicious blow that can cause widespread disruption to the victim country’s infrastructure or operations. The Russia-Ukraine war gave rise to a new round of wiper malware attacks in 2022, as several versions of wipers were used to disrupt the critical infrastructure of Ukrainian systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an advisory to businesses and government agencies advising vigilance against new strains of wiper malware that emerged during that conflict.

• How do wipers destroy data?

The most straightforward way to wipe out data from a system is to overwrite the data in a specific physical location with other data. This process is arduous for cybercriminals as they have to write several gigabytes or terabytes of data, which is highly time-consuming and can open them up to detection. But wiper malware dramatically speeds up that process by destroying two particular files in the system and then erasing the data in minutes.

The first file that gets annihilated in a wiper malware attack is the Master Boot Record (MBR), which identifies the operating system’s location during the boot process. If the cybercriminals succeed in destroying the MBR, the boot process crashes, making the files inaccessible unless forensic methodologies are used, and sometimes that won’t even work.

The next to go is the Master File Table (MFT), which exists in every NTFS file system, containing the physical location of files in the drive, their logical and physical size, and other related metadata. As many big files cannot use consecutive blocks in the hard drive, they are fragmented to accommodate the storage of large files. The MFT comes in handy here, as it stores the information of where each fragment is present in the drive. If the cybercriminals get hold of your MFT, you can still access your small files using forensic tools but accessing large files is practically impossible since the link between fragments is lost. This is a critical step in making data unrecoverable.

• A timeline of wiper malware:

There have been many strains of wiper malware in action since 2012, including these varieties:

• Shamoon: First reported wiper that attacked Saudi Aramco and Qatar’s RasGas oil companies in 2012.
• Dark Seoul: Reported in 2013, this malware attacked South Korean media and financial companies.
• Shamoon: The same wiper returned in 2016 to attack Saud Arabian organizations again.
• NotPetya, 2017: One of the most devastating wipers due to its self-propagation capability, Notpetya was launched by Russian-back cybercriminal gangs that targeted Ukrainian organizations.

• Some preventive measures against wiper malware:

A wiper attack is tricky to detect and contain. Unlike common malware attacks that come with hallmark signs of their presence, wipers erase all traces of their existence once they have wiped the data. This makes it difficult for cybersecurity teams to respond to these attacks and prevent them from spreading. Therefore, all organizations must implement robust, multi-layered security measures to defend against wiper malware.

Here are some of the solutions and preventative measures that can help:

1. Managed SOC: A team of experts with the latest weapons, like a ransomware detection tool on guard 24/7/365, is a tremendous asset against cyber threats like wiper malware. However, setting up a security operations center and staffing it is expensive. A managed SOC puts all the benefits to work for a business without the onerous set-up and payroll cost, bringing that type of powerful protection within reach for any MSP or business.
2. Malware protection solution: cybercriminals use many different malware and techniques to bypass an organization’s defense. Malware protection solutions keep track of malware and attack procedures and update themselves to thwart threat actors’ attempts.
3. Security awareness training: Informed end-users are the biggest and best bulwark against most cyber threats. With regular security awareness training, most employees can identify odd attachments, phishing attempts, and other anomalies, preventing many dangerous cyberattacks like ransomware and malware from breaching an organization’s defense.
4. Disaster recovery plan: A good disaster recovery plan reduces an attack’s impact and helps organizations return to their feet faster. With regular backups, recovery time and data loss are minimized.
5. Regular software updates: Unpatched software is one of the most significant security vulnerabilities. Software patches provide necessary protection against all the latest vulnerabilities and play a key role in preventing attackers from leveraging these applications for system access.

Source: ID Agent