Five things you should know about wiper attacks

7 minutes reading

Imagine having all your company’s data wiped out for good… For most, this is a scenario from one of their worst nightmares. This spring’s wiper attacks in Ukraine, uncovered by ESET Research, show how quickly this malware spreads across networks and how extensive the damage it causes can be. What’s the usual motivation behind these attacks, how big is the risk for SMBs, and how can wipers be detected or dealt with? Here’s a basic overview of all you need to know, prepared with Ondrej Kubovic, ESET’s Security Awareness Specialist.

SMBs are not the usual targets, but it doesn’t mean they shouldn’t care.

Wiper attacks are targeted, well-thought-through and often prepared months in advance. However, they appear relatively rarely because there’s no direct financial profit for the attackers, compared to, for example, ransomware attacks. Cybercriminals usually aim to destroy critical data and systems, and wipers are commonly used as weapons in fights among states or sophisticated hacker groups. Even though password breaches and ransomware attacks continue to be the most significant threats for SMBs, it pays off to stay cautious. Some SMBs have also fallen victim to wiper attacks as collateral damage or a part of complex supply chains.

When one attack opens doors to others 

In 2017, cybercriminals infected the Ukrainian accounting software called M.E.Doc, used by the majority of companies in the country. By compromising its update server, the attackers spread the malware to partner companies and, subsequently, worldwide. The so-called (Not)Petya cyberattack shows that SMBs can involuntarily open doors to sophisticated attacks, especially when they supply other companies with their products or services. The same applies to MSPs.

The motivation behind wiper attacks? Destroying evidence and displaying power

In some cases, wiper attacks are merely the final step in more complex cyberattacks, including data thefts or data encryptions. Perpetrators frequently use wipers not only to destroy data but also to get rid of evidence. That was also the case in the Industroyer attack in 2016, during which attackers compromised the systems of a power distribution company in Kyiv, Ukraine, and later used a wiper to cover up their tracks. By deleting evidence, wipers make it nearly impossible for the victims to identify how the malware got into their devices or how it acted when it was installed.

During the recent cyberattacks in Ukraine, the malware known as HermeticWiper was co-deployed with HermeticWizard and HermeticRansom, and a new variant of the above-mentioned Industroyer malware appeared – this time, Industroyer2 was co-deployed with CaddyWiper and several other wipers, specifically targeting Linux and Solaris networks.

During geopolitical conflicts, wipers can demonstrate their power and serve as a part of psychological warfare. The attackers want to show that they’re capable of destroying part or parts of the “opponent’s” system, hoping the attack will shake their morale and project the destructive capabilities of the threat actor. In such cases, wipers are not necessarily used to destroy critical data on a single device but to sabotage a whole network – just because the attacker can.

What are some of the types of wiper attacks? 

Wiper attacks appear in various forms and for diverse purposes. Whereas some rewrite all data on discs with zeros or randomly-generated content, others destroy only parts of documents – which can lead to the same result, leaving the affected systems non-functional. Some of the wipers are more “intelligent” and attempt to gain maximum reach and privileges first, and only then, start their wiping. Other types of wipers might focus on destroying the network as such. The goal of some attacks is not to make the devices stop functioning within minutes but to destroy them gradually, as in the case of Stuxnet. This malicious computer worm allegedly damaged numerous centrifuges at Iran's Natanz uranium enrichment facility. The malware was very well hidden in the system and only caused damage incrementally, making it extremely difficult to identify the source of the issue.


What is the best prevention? High-quality cybersecurity software, constant network monitoring, and blocking any unauthorised network access.

Other attacks might have the same consequences as wipers

Some ransomware attacks may ultimately have the same effect as wiper attacks, making the victims irretrievably lose important data. This happens when attackers aim to conduct a ransomware attack but implement a part of the encryption process incorrectly, thus failing to decrypt the affected data. In such cases, data is lost, as with a wiper attack – even though it may not have been the cybercriminal’s intention. In other instances, wipers may be made to appear as ransomware attacks – as was the case of (Not)Petya.

Attackers leave false evidence behind

Generally, it is somewhat problematic to find logs that show how the wiper got into the system. Often, multiple systems are infected at once. Attackers frequently plant so-called false flags – such as parts of code or modus operandi – typical of a rival hacker group. This way, a different actor can be blamed instead of the actual perpetrators. It’s almost impossible to be 100% sure who stood behind giant wiper attacks until law enforcement and security services step in and use their intelligence to make the attribution, a step usually followed by personal sanctions against the perpetrators.

The Olympics of false evidence? 

In 2018, malware, later named the Olympic Destroyer, infected the systems that ran the opening ceremony during the Winter Olympic Games in Pyeongchang, South Korea. The malware included loads of false evidence that made it seem like North Korea was behind the attack, but later on, Chinese and Russian traces surfaced. It took weeks to confirm that the Sandworm Team spoiled the ceremony finally.

Stopping the processor, stopping the wiper

If a wiper is detected in your system, shut down all running processes and disconnect the device from the network, if possible. Remember: This approach can only be applied when shutting down the given processes won’t ultimately cause more damage or endanger the safety of employees. The speed of data wiping depends on the attack’s extent. Some attacks have strictly predefined priorities and can put the whole company down within minutes, while others last for hours and can be disrupted – at least partially.

Always remember to have an effective backup and recovery strategy in place. Should you become the target of a wiper attack, you may still have an off-site or cloud backup storage that lets you retrieve your data in just a few minutes or days.

Identifying data that’s crucial for your business also pays off. Whereas some companies may be able to afford to lose a few bills, data destruction can be disastrous for others. Imagine a gaming company suffering such an attack. Losing months of players’ data in a multiplayer online game can cause massive reputational damage and demotivate users from coming back. Despite being “just a game,” the incident could ultimately destroy the company’s income stream and force it out of business.

Offline and reliable data backups and mature cybersecurity strategies could mitigate the risks, making company systems more resilient and forcing cybercriminals to look for other ways to make money.