What is wiper malware?

Wiper malware deletes, overwrites or encrypts data and software so that it is no longer accessible to the victim. Wiper malware attacks are destructive in nature as they do not have a function that can restore the data once it is deleted or encrypted. These attacks are rarely carried out for financial gain for the criminal and thus ransoms are rarely claimed in this type of attack. What is the point then? Read on as we delve into wiper malware with a lot of facts and a single case.

The purpose of wiper malware and the motivation behind it

Wiper malware attacks, as mentioned, are destructive in nature. This means that the expected effect of this type of attack is significant damage to or complete destruction of information, data or software. Precisely because the deleted or corrupted data can rarely be recovered, the motive behind the attacks is rarely economic. Instead, the aim of wiper malware attacks is often to cover the tracks of a separate data theft or cyber attack, or simply to disrupt and destroy the victim's systems.

More specifically, there are four typical motivations behind wiper malware attacks:

• Economic gain: As mentioned above, economic gain is generally rarely a motivation behind wiper attacks. This is of course because it is often difficult to make money from destruction. However, even though the objective will often not be to extort a ransom from the victim, in some cases you may find that the attackers pretend to be carrying out a ransomware attack, which can be called a ransomware scam. Therefore, it is also extremely important as a victim to identify which type of attack you are under, so that you do not pay a ransom in the hope of recovering your data. In the case of a wiper malware attack, this will not be possible at all.
• Destruction of evidence: If an organisation has been the victim of a wiper attack and is having difficulty figuring out the reason behind it, it may have been done to cover up another type of attack. It could be, for example, that backers are trying to cover the tracks of espionage. Because of the scale of the destruction, the victim will typically focus on recovering lost data rather than investigating the real motivation behind the attack.
• Sabotage: Sabotage is the most obvious motivation behind wiper attacks as it is used to destroy data, sabotage software development, create financial losses and generally to create chaotic conditions.
• Cyber war: This motivation is particularly relevant at the moment, as 2022 has seen a significant increase in the number of wiper malware attacks, particularly targeting Ukrainian infrastructure as well as Ukrainian authorities and companies in the war between Russia and Ukraine. Here, it has been very clear that wiper attacks against Ukrainian entities have supported Russian interests. Wiper attacks can thus have a major devastating effect on, inter alia, critical infrastructure, which often plays an important role in a war.

How wiper malware attacks work

The most basic approach in wiper attacks is to overwrite selected files with data. But encryptions can also play an important role, as cybercriminals can encrypt files and then delete the encryption key, which is equivalent to deleting the file. However, this approach is resource-intensive and slows down the malware, which means it is a method that is usually only used when hackers want to maintain a ransomware scam for as long as possible.

In very basic terms, there are two ways to destroy data: the logical way and the physical way.

We all know the logical approach to data deletion. It is when you move a file to the Recycle Bin and then delete it from the Recycle Bin. This action deletes the shortcut to the file, but not the file data itself, which means that you will typically be able to recreate it using technical tools, as long as you do not overwrite the file in the same physical location.

Physical deletion of data, on the other hand, is used by cyber criminals when performing wiper malware attacks. They want to make sure that the data cannot be recovered, so they destroy the data at the physical level on the hard disk. The most effective way to do this is to overwrite the specific physical location with other data. However, this can be a time-consuming process, so the hacker will often start by destroying the following two files in the system:

• Master Boot Record (MBR), which is used in the boot process to identify where the operating system is located on the hard disk. When the MBR is replaced, the boot process crashes, making the files inaccessible. If the MBR is corrupted, the computer cannot even boot.
• The Master File Table (MFT) exists on NTFS systems and contains the physical location of files in the drive as well as metadata. In some cases large scale files fragment in the disk when they are attempted to be stored in the drive. The MFT contains information about where each of these fragments is stored. When the hacker removes the MFT, it will require technical tools to recover small files, while fragmented files will not be recoverable as the link between the fragments is broken and thus lost.

In wiper attacks, attackers will typically use a combination of techniques to achieve their goal. The more techniques they use, the less likely it is that the data can be recovered.

How to minimise the extent of the damage

Organisations can implement various best practice approaches when it comes to minimising the extent of damage from wiper malware attacks. For example, it is important to have the following in place:

• Backup: Backup is an important security measure when it comes to wiper malware. Because malware often seeks out backups in systems, it is important to store the backup offline or off-site so that it can survive an attack.
• Recovery plan: It is important for organisations to have a recovery plan in place in case they are hit by a cyber attack, including a wiper attack. For example, how will data be restored from a backup and what are the guidelines for communicating about the attack? Questions like these need to be elaborated in a disaster recovery plan. The speed and quality of the organisation's response to such an incident also plays an important role.

Case: WhisperKill

On January 14, 2022, the Ukrainian government experienced a coordinated attack on 22 government agencies and their websites, which suffered defacement. Almost all of these websites were developed by the same Ukrainian IT developer, Kitsoft, and all were built on the OctoberCMS platform. Therefore, there are also strong indications that this was an attack on the supply chain and the supplier, or that a vulnerability in OctoberCMS was exploited.

In addition to the attacks on the websites, the Microsoft Threat Intelligence Center was able to identify destructive malware targeting Ukrainian organisations in a subsequent report.

The report also revealed that the attacks had included an MBR attack combined with a ransomware scam. The motive was most likely sabotage.

However, WhisperKill is only one of many wiper malware attacks against Ukrainian authorities and organisations that have taken place in 2022, testifying to the important role cyber attacks play in modern warfare.