In recent years, we have seen many cyberattacks involving ransomware or malware aimed at stealing sensitive data. Shortly before the Russian army invaded Ukraine, a less common malware variant was discovered there. However, less common does not mean less harmful. In fact, this malware disables infected computers by overwriting and deleting all the files on them. That is why it has been given the name Wiper-malware.
Wiper malware is actually nothing new and has already been used on numerous occasions in the past. As is the case with a lot of malware, however, new variants of wipers have since emerged. It would appear that the aim of this malware is to cause digital disruption in Ukraine. The problem is that the digital world is a close-knit community and it is therefore perfectly possible that this malware will, in time, spread to other countries as well. Consequently, there is a chance that it will raise its ugly head in the Netherlands at some point.
What does wiper malware do exactly and why is it so dangerous? These are the questions we are going to answer in this blog. We are also going to look at which variants are currently known to exist and what measures you can take to protect your organization against this destructive wiper malware.
You may be wondering what is actually the difference between normal ransomware and wiper malware. Ransomware is a notorious type of malware which we have all become familiar with. Organizations fall victim to it on a regular basis. During a ransomware attack, all the files on an infected computer are taken hostage, rendering the computer (partially) unusable. After the ransom has been paid, however, the files are released and the victim is able to start using the computer again.
Just as in a ransomware attack, wiper malware also disables an infected computer. What makes wiper malware so dangerous is that it deletes or overwrites files, rather than taking them hostage. Infected computers are therefore permanently disabled and, in many cases, it will be impossible to repair the data on the computers in question. While victims of a ransomware attack can still have hope that their data can be recovered, the same cannot be said in the context of wiper malware attack.
The lack of any possibility of restoring the data means that hackers who use a wiper will not earn any money. Instead, they are motivated by something else. The wipers are actually used as a digital bombardment. Just like runways at an airport can be bombed in order to put the airport out of operation, wipers can cripple companies’ computers or critical infrastructure.
All shapes and sizes
Various wipers have now been identified in the conflict between Russia and Ukraine. The first ones to be detected are the HermeticWiper (also known as FoxBlade or Killdisk.NCV) and WhisperGate wipers which have been joined more recently by the IsaacWiper (also known as Lasainraw). The functionality of this malware is generally the same, namely to disable computers.
The HermeticWiper and IsaacWiper malwares focus on overwriting files on the hard drive of an infected computer. The malwares then shut the computer down, after which it will not restart. The WhisperGate malware works in a similar way but it is disguised as ransomware. It overwrites the MBR (Master Boot Record) of the infected computer with a ransom note which the user will see when they try to start up the computer ransom note The ransom note is shown below and suggests that recovery is still possible. This is not the case, however, because all the files have been overwritten and deleted.
Although wiper malware is used as a digital bombardment, other ransomware variants have also been found to be present during attacks, such as HermeticRansom and PartyTicket ransomware, for which free decryptors are now available. It is possible that these ransomware variants have been used as a diversion to mask the presence of wiper malwares.
The wipers ‘wipe’
As already discussed, wiper malwares destroy the data on infected computers. Recovery is therefore no longer possible and that makes it all the more important to prevent a wiper infection.
You need to make sure your organization has basic cyberhygiene measures in place. This means network segmentation, encryption, authorization and authentication. It is also important to raise your employees’ level of cyberawareness. On top of that, it is especially important in the case of a wiper infection to ensure complete, so-called immutable back-ups which can no longer be changed after they have been created and which you will also preferably keep at an external or offline location. After all, that is the only way to restore the data on infected computers.
Technical information (indicators of compromise)
Numerous sources are now tracking technical indicators of digital threats relating to the war in Ukraine. We recommend keeping an eye on, among others, Orange’s Github pages and Curated-Intel. New indicators are rapidly added to these Github pages so that they can be used for detection purposes by, for example, the SOC. For a general overview of cyberthreats in relation to the war in Ukraine, we recommend that you follow this page. New information is being made available there very quickly thanks to the cooperation which is taking place between various organizations at home and abroad and we are, of course, doing our very best to verify new indicators as quickly as possible and add them to the systems that we are using within our SOC services.