Having all your crucial data wiped out for good? For most companies, this is a nightmare scenario. Last spring’s wiper attacks in Ukraine, which the ESET Research team uncovered, showed how quickly this malware spreads across networks, and how extensive the damage it causes can be. What’s the usual motivation behind these attacks, how big is the risk for SMBs, and how can wipers be detected or dealt with? Here’s a basic overview of all you need to know, prepared in cooperation with Ondrej Kubovic, ESET’s Security Awareness Specialist.
SMBs are not the usual targets, but it doesn’t mean they shouldn’t care.
Wiper attacks are targeted, well-thought-out and often prepared months in advance. However, they appear rather rarely because there’s no direct financial profit for the attackers, compared to, for example, ransomware attacks. Cybercriminals usually aim to destroy key data and systems, and wipers are commonly used as weapons in fights among states or sophisticated hacker groups. Even though password breaches and ransomware attacks continue to be the biggest threats for SMBs, it pays off to stay cautious. Some SMBs have fallen victim to wiper attacks, too, either as collateral damage or as a part of complex supply chains.
When one attack opens doors to others
In 2017, cybercriminals infected the Ukrainian accounting software called M.E.Doc, used by the majority of companies in the country. By compromising its update server, the attackers managed to spread the malware to partner companies and subsequently, all over the world. The so-called (Not)Petya cyberattack shows that SMBs can involuntarily open doors to sophisticated attacks, especially when they supply other companies with their products or services. The same applies to MSPs.
The motivation behind wiper attacks? Destroying evidence and displaying power
In some cases, wiper attacks are merely the final step in more complex cyberattacks that include data thefts or data encryptions. Frequently, perpetrators use wipers not only to destroy data, but to also get rid of the evidence. That was also the case in the Industroyer attack in 2016, during which attackers compromised the systems of a power distribution company in Kyiv, Ukraine, and later used a wiper to cover their tracks. By deleting evidence, wipers make it close to impossible for the victims to identify how the malware got into their devices or how it acted when it was installed.
During the recent cyberattacks in Ukraine, the malware known as HermeticWiper was co-deployed with HermeticWizard and HermeticRansom, and a new variant of the above-mentioned Industroyer malware appeared. This time, Industroyer2 was co-deployed with CaddyWiper and several other wipers, specifically targeting Linux and Solaris networks.
During geopolitical conflicts, wipers can be used to demonstrate power and serve as a part of psychological warfare. The attackers want to show that they’re capable of destroying part or parts of the “opponent’s” system, hoping the attack will shake their morale and project the destructive capabilities of the threat actor. In such cases, wipers are not necessarily used to destroy key data on a single device, but to also sabotage a whole network – just because the attacker can.
What are some of the types of wiper attacks?
Wiper attacks appear in various forms, and for diverse purposes. Whereas some rewrite all data on discs with zeros or randomly generated content, others destroy only parts of documents – which can lead to the same result, leaving the affected systems non-functional. Some of the wipers are more “intelligent” and attempt to gain maximum reach and privileges first, and only then, start their wiping. Other types of wipers might focus on destroying the network as such. The goal of some attacks is not to make the devices stop functioning within minutes, but rather, to destroy them gradually, as in the case of Stuxnet. This malicious computer worm allegedly damaged numerous centrifuges at Iran's Natanz uranium enrichment facility. The malware was very well hidden in the system and only caused damage incrementally, making it extremely difficult to identify the source of the issue.
The best prevention? High-quality cybersecurity software, constant network monitoring and blocking of any unauthorized network access .
Other attacks might have the same consequences as wipers
Some ransomware attacks may ultimately have the same effect as wiper attacks, making the victims irretrievably lose substantial data. This happens when attackers aim to conduct a ransomware attack, but implement a part of the encryption process incorrectly, thus failing to decrypt the affected data. In such cases, data is lost, as with a wiper attack – even though it may not have been the cybercriminal’s intention. In other cases, wipers may be made to appear as ransomware attacks – as was the case of (Not)Petya.
Attackers leave false evidence behind
Generally, it is rather problematic to find logs that show how the wiper got into the system. Often, multiple systems are infected at once. Attackers frequently plant so-called false flags – such as parts of code or modus operandi – typical of a rival hacker group. This way, a different actor can be blamed instead of the true perpetrators. It’s almost impossible to be 100% sure who stood behind huge wiper attacks until law enforcement and security services step in and use their own intelligence to make the attribution, a step usually followed by personal sanctions against the perpetrators.
The Olympics of false evidence?
In 2018, malware later named the Olympic Destroyer infected the systems that ran the opening ceremony during the Winter Olympic Games in Pyeongchang, South Korea. The malware included loads of false evidence that made it seem like North Korea was behind the attack, but later on, Chinese and Russian traces surfaced. It took weeks to finally confirm that it was the Sandworm Team that spoiled the ceremony.
Stopping the processor, stopping the wiper
If a wiper is detected in your system, shut down all running processes and disconnect the device from the network, if possible. Remember: This approach can only be applied when shutting down the given processes won’t ultimately cause more damage or endanger the safety of employees. The speed of data wiping depends on the attack’s extent. Some attacks have strictly pre-defined priorities and can bring the whole company down within minutes, while others last for hours and can be disrupted – at least partially.
Always remember to have an effective backup and recovery strategy in place. Should you become the target of a wiper attack, you may still have an off-site or cloud backup storage that lets you retrieve your data in just a few minutes or days.
Identifying data that’s crucial for your business also pays off. Whereas some companies may be able to afford to lose a few bills, for others, data destruction can be disastrous. Imagine a gaming company suffering such an attack. Losing months of players’ data in a multiplayer online game can cause massive reputational damage and demotivate users from coming back. Despite it being “just a game,” the incident could ultimately destroy the company’s income stream and force it out of business.
Offline and reliable data backups and mature cybersecurity strategies could mitigate the risks, making company systems more resilient, and forcing cybercriminals to look for other ways to make their money.