What is Wiper Malware?
Wiper malware is malware that is designed to wipe (erase) the hard disk of a victim’s computer. Wiper malware is being seen more frequently, and it can be achieved through a number of techniques:
Overwriting files. With this approach, the cyberattacker simply enumerates the filesystem and overwrites the select files with data.
Encrypting files. With this approach, the cyberattacker encrypts a file and destroys the key.
Overwriting the Master Boot Record (MBR). With this approach, the cyberattacker overwrites the MBR, which is the part of the computer that tells the computer how to boot the OS. While this does not destroy the data, it often creates chaos, and it may be used in tandem with other techniques that will actually destroy the data1.
Overwriting the Master File Table (MFT). With this approach, the cyberattacker corrupts the MFT, which is a catalog of all the files that exist on the filesystem, the metadata, and the file content and/or file location. The operating system will not be able to find the files if the MFT is corrupted. Similar to the MBR approach, the data is not necessarily destroyed with this type of wiper technique.
IOCTL. The IOCTL is the device input and output control interface in Windows. The DeviceIoControl() function is an interface used to send control codes to devices, and the control codes are operations to be executed by the device driver. Malware uses this interface to collect information about the disks targeted for the actual wiping, and then uses the EaseUS Partition Master driver to overwrite selected parts of the disk with random data.
Third-party tooling. With this approach, cyberattackers often use the Windows driver of off-the-shelf products to bypass Windows’ protection mechanisms in order to manipulate the disks directly.
Unlike other malware cyberattacks, wiper attacks have several possible motivations:
Financial gain. Financial gain is not a significant motivating factor for a wiper attack, because it destroys the data, which leaves nothing to monetize. A possible financially motivated wiper attack may involve threat actors may pretend as if the cyberattack is a ransomware attack, but they may not, in fact, have any ability to recover the data.
Sabotage. Sabotage is an obvious reason for a wiper attack, as a wiper attack can cause chaos, destroy data, disrupt development, or cause financial loss.
Evidence destruction. A motivation of evidence destruction or espionage may only be deduced after all other potential motivators have been eliminated.
Cyberwar. Wiper operations may be a part of a larger conflict and may have goals such as disrupting or destroying critical infrastructure.
Recommendations to minimize the impacts of wiper malware include regularly backing up machines, maintaining proper network segmentation, and maintaining thorough plans for incident response and disaster recovery.
1 Revay, 2022, “An Overview of the Increasing Wiper Malware Threat”