Max Kersten, a malware expert at Trellix, recently examined more than 20 wiper variants that completely wipe out computer systems, and have been employed by cyber attackers in multiple attacks since the start of this year. At the Black Hat Middle East & Africa conference on Tuesday, he gave an overview of his findings during a 'Wipermania' session.
What are Wipers?
A malware designed to harm the victim's system. Using a wiper feature, malware with numerous functionalities can potentially be deployed to completely destroy a system.
However, in some ransomware instances, there is also an unexpected wiper use case. The ransomed machine stays unusable if the ransomware's encryption is flawed, there is no way to restore or directly link to who released the ransomware. Sometimes actors' email addresses are blacklisted or their websites are taken down, which makes it difficult to get a decryption key.
The third is phony ransomware, a less well-known wiper version. Malware that uses ransomware as a front may perhaps never have intended to decrypt the data in the first place, but instead pretends the system is being held for ransom.
Since Saudi Aramco's 30,000 customer and server systems were rendered unusable by the 'Shamoon virus' more than ten years ago, destructive wiper malware has barely changed. According to a recent report, the threat it poses to enterprise firms is still very significant.
Selecting a target
First, the attack's character. hactivists seek to spread awareness of their cause and rely on the media to do so, in contrast to APT organizations who frequently want to remain undiscovered. Massively dispersed malware is typically categorized as inexpensive malware, and while both could have catastrophic effects, their dispersion modes differ.
The chosen operating system is the second element. While many Linux variants are frequently used to host servers, Windows is the platform business networks utilize the most. Wiping files from employee computers already affects how a firm operates and may be completed quickly because it doesn't call for a privilege escalation.
From this research, the majority of the wipers were found to target the Windows operating system. However, switching to a different platform is not a shield against wipers since some of the ones detected target a very narrow market.
Spreading the virus
Hackers want to run the malware of their choice on the victim's computer in some manner. An execution tactic that was observed is manually running the wipers on each device individually or using group policies to run them simultaneously on many devices. As an alternative, actors may develop a spreading mechanism related to a worm to activate the wiper on all connected devices.
Strategies for recovery
The wiper's objective is to render the system unusable, which can also be accomplished by overwriting files. Be aware that multiple file systems and details on individual disk types have been left out for the sake of conciseness. The majority of wipers concentrate on Windows, which has used NTFS as its primary file system for well over ten years.
Some wipers might just erase every file they come across, including event logs and shadow copies. These two make useful monitoring items because they are typically neither erased nor totally rewritten.
The backup system ought not to be linked to the computers other than when saving the backup otherwise, it runs the possibility of being compromised by malware other than wipers. Ransomware frequently encrypts the data on all associated disks, even backup drives. With administrative rights, the wiper's effects might range from losing files to making the computer unbootable.