In the first half of this year, researchers saw a rising trend of wiper malware being deployed in parallel with the Russia-Ukraine war. However, those wipers haven’t stayed in one place – they’re emerging globally, which underscores the fact that cybercrime knows no borders.
It’s not just the numbers that are growing; we’re also seeing a rise in variety and sophistication. These wiper varieties are also increasingly targeting critical infrastructure.
Awash with wipers
The war in Ukraine has undoubtedly fueled a major uptick in the use of wiper malware; FortiGuard Labs research identified at least seven new wiper variants in the first half of 2022 that were used in campaigns targeting government, military and private organizations. That’s almost as many wiper variants that have been publicly detected in total since 2012, when bad actors used the Shamoon wiper to attack a Saudi Arabian oil company.
These variants include the following variants:
• CaddyWiper: Bad actors used this variant to wiper data and partition information from drives on systems belonging to a select number of Ukrainian organizations shortly after the war began.
• WhisperGate: Discovered by Microsoft in mid-January being used to target organizations in Ukraine.
• HermeticWiper: Noted in February by SentinelLabs, this tool for triggering boot failures was also found targeting Ukrainian organizations
• IsaacWiper: A malware tool for overwriting data in disk drives and attached storage to render them inoperable.
We also observed three other variants targeting Ukrainian companies and organizations: WhisperKill, Double Zero and AcidRain.
Wipers without borders
The wiper ware action isn’t limited to Ukraine. We’ve detected more wiper malware outside Ukraine than within the country since the war began in February. We’ve detected wiper activity in 24 counties other than Ukraine.
For example, AcidRain, which was used to target a Ukrainian satellite broadband service provider, also was used in an attack that knocked several thousand German wind turbines offline in March. What does this signify? It shows that attacks like these can jump boundaries – whether those borders are between countries or between IT and OT.
Enterprise security teams need to prepare themselves. While the number of detections has been lower so far than other types of cyberattacks, the very nature of wipers and how they’re used makes them very dangerous. Bad actors use wiper malware for everything from financial gain to sabotage, destruction of evidence and cyber war. The original wiper ware, Shamoon, clearly showed how wipers can be used as weapons of cyber sabotage – and it also showed how the same wiper can rear its ugly head even years after its first experience.
Variants like GermanWiper and NotPetya have revealed the ways wipers can be used to try to extort money from victims – such as by “pretending” to be ransomware. And NotPetya, as you probably recall, originally targeted Ukrainian organizations but quickly spread to become one of the most devastating cyber-attacks of all time.
Don’t get wiped out by wiper ware
One thing to consider with wipers is whether or not they are self-propogating. If it’s a worm, like NotPetya, it can self-propagate to other machines once it’s let loose. And once that happens, it can’t be controlled.
In February, CISA released a warning of the direct threat wipers pose, and recommended that “organizations increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for wiper attacks.”
To minimize the impact of wiper malware, one of the most helpful countermeasures for organizations is integrated, AI and ML-driven, advanced detection and response capabilities powered by actionable threat intelligence to protect across all edges of hybrid networks.
Network segmentation is another countermeasure, one that can be used on multiple levels. It can keep the impact of an attack to just one segment of the network, for example and limit lateral movement.
Organizations should also consider deception technology, a strategy in which cyber attackers are lured away from an enterprise’s true assets and instead, diverted toward a decoy or a trap. The decoy mimics legitimate servers, applications and data to trick the bad actor into thinking they’ve infiltrated the real thing.
In addition, services such as a digital risk protection service (DRPS) can help with external surface threat assessments, remediate security issues, and gain contextual insights on imminent threats.
Don’t scrimp on incident response: In the event that your organization is hit with wiper malware, the speed and quality of incident response is critical. The outcome of the attack can depend on it. Incident response and the plans for it can’t be overestimated in terms of importance. This should include defined processes for business continuity without IT and a plan for how restoration from backups will be done and how to handle incident response.
Looking ahead
What we’ve seen with the attacks on Ukraine – and others – is that wiper ware can be and is being used to degrade and disrupt critical infrastructure. This is being done as part of larger cyber warfare efforts. Another common tactic we’re seeing is that wiper malware samples sometimes “pretend” to be ransomware – leveraging many of the same tactics, techniques and procedures that ransomware uses but without the possibility of recovering the files.
The net takeaway here is that wiper ware is being used for both financial gain and cyber sabotage – and it can have very devastating consequences. And just because we’re seeing comparatively lower detections than other types of cyberattacks, don’t fall into the trap of thinking it can’t affect you.
