Wiper Malware: Devastation Down Memory Lane
Amnesia is a primal human fear. It makes sense— what could be worse than losing every memory of your childhood, your loved ones, yourself? The concept is so frightening that it has been used in hit movies like Men in Black and Total Recall.
Reality is no less terrifying. While we aren’t under threat of having our personal memories erased, critical data on our computers can be destroyed by a cyberweapon known as wiper malware.
What is wiper malware?
Wiper malware strikes by wiping specific files, or the entire hard disk of an infected computer. Unlike ransomware criminals who encrypt data and hold it for ransom, wiper criminals destroy data entirely. They are not motivated by financial gain but have been compared to terrorists, looking to sow fear and uncertainty by creating irreversible financial and reputational damage to a country, organization or business. And like terror attacks, detection is useless— once they strike, the damage is irreversible. One of the largest wiper attacks, NotPetya in 2017, is estimated to have caused over $10 billion of damage across the globe.
What are the attack vectors for wipers?
Wipers aim to create maximum devastation in the minimum amount of time. They generally have three targets: files (data), the boot section of the operating system and backups, Often targeting all three.
Since deleting or overwriting all files on a disk can take time, wipers often affect the files partially, rendering them unusable. In other cases, wipers choose to damage specific files according to file type or other parameters. Another tactic is to encrypt various key points of the disk drive, like in ransomware. However, unlike ransomware, wipers employ "key-less" encryption so that there's no decryption key for reversing the wiper's dirty work. Wipers also target the Master File Table (MFT) that stores information describing every file on the computer including access permissions, creation date, and disk location. When the MFT is damaged, the files stored on a disk become unrecoverable i.e. the filesystem (NTFS) won't be able to reconstruct them from the disk. Since the files are not stored contiguously, it is near impossible to restore the files without the MFT.
The Master Boot Record (MBR) contains information about the filesystem, disk partitions, and can invoke the boot loaders in Volume Boot Records (VBRs). If the MBR and/or VBR are damaged or altered, the computer won't be able to boot the OS and load the filesystem. Unlike files, which take time to destroy or overwrite, the MBR/VBRs can be altered in seconds and the computer will become unbootable. MBR/VBRs can be damaged either through key-less encryption, or corruption of the record's data (overwriting).
Wipers do everything to make sure that the targeted data is unrecoverable. Therefore in addition to damaging files and the boot sector, they also target the features in the Windows operating system that can help restore damaged file systems. For example, they delete volume shadow copies, a Windows backup feature, and attack the Windows Recovery Console, a command-line interface with a range of tools that can assist in restoring Windows to a normal state. By destroying backups, they ensure that their victims are unable to salvage any data.
How can you protect yourself?
Since wipers destroy data as soon as they are activated, an EDR response is useless. Therefore, like with other types of terror, protection from wipers necessitates a focus on prevention. Choosing a security solution with strong predictive capabilities that can analyze threats pre-execution, before the threat materializes, is critical to protecting your data from wiper malware.
For more information about how you can keep your enterprise safe from attack, read the Deep Instinct report on Wiper malware. It addresses
- The various attack vectors associated with wiper malware
- An overview of wiper attacks over the past year and
- A prediction of how future wiper attacks will occur.