Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Wiper. Show all posts

Analysis of Wiper Malware Groups

Max Kersten, a malware expert at Trellix, recently examined more than 20 wiper variants that completely wipe out computer systems, and have been employed by cyber attackers in multiple attacks since the start of this year. At the Black Hat Middle East & Africa conference on Tuesday, he gave an overview of his findings during a 'Wipermania' session. 

What are Wipers?

A malware designed to harm the victim's system. Using a wiper feature, malware with numerous functionalities can potentially be deployed to completely destroy a system.

However, in some ransomware instances, there is also an unexpected wiper use case. The ransomed machine stays unusable if the ransomware's encryption is flawed, there is no way to restore or directly link to who released the ransomware. Sometimes actors' email addresses are blacklisted or their websites are taken down, which makes it difficult to get a decryption key.

The third is phony ransomware, a less well-known wiper version. Malware that uses ransomware as a front may perhaps never have intended to decrypt the data in the first place, but instead pretends the system is being held for ransom. 

Since Saudi Aramco's 30,000 customer and server systems were rendered unusable by the 'Shamoon virus' more than ten years ago, destructive wiper malware has barely changed. According to a recent report, the threat it poses to enterprise firms is still very significant.

Selecting a target

First, the attack's character. hactivists seek to spread awareness of their cause and rely on the media to do so, in contrast to APT organizations who frequently want to remain undiscovered. Massively dispersed malware is typically categorized as inexpensive malware, and while both could have catastrophic effects, their dispersion modes differ.

The chosen operating system is the second element. While many Linux variants are frequently used to host servers, Windows is the platform business networks utilize the most. Wiping files from employee computers already affects how a firm operates and may be completed quickly because it doesn't call for a privilege escalation.

From this research, the majority of the wipers were found to target the Windows operating system. However, switching to a different platform is not a shield against wipers since some of the ones detected target a very narrow market.

Spreading the virus

Hackers want to run the malware of their choice on the victim's computer in some manner. An execution tactic that was observed is manually running the wipers on each device individually or using group policies to run them simultaneously on many devices. As an alternative, actors may develop a spreading mechanism related to a worm to activate the wiper on all connected devices.

Strategies for recovery

The wiper's objective is to render the system unusable, which can also be accomplished by overwriting files. Be aware that multiple file systems and details on individual disk types have been left out for the sake of conciseness. The majority of wipers concentrate on Windows, which has used NTFS as its primary file system for well over ten years.

Some wipers might just erase every file they come across, including event logs and shadow copies. These two make useful monitoring items because they are typically neither erased nor totally rewritten.

The backup system ought not to be linked to the computers other than when saving the backup otherwise, it runs the possibility of being compromised by malware other than wipers. Ransomware frequently encrypts the data on all associated disks, even backup drives. With administrative rights, the wiper's effects might range from losing files to making the computer unbootable.





Azov Ransomware Tries to Frame Cybersecurity Researchers

 

Azov ransomware, a newcomer to the malware market, is being propagated via pirated software, key generators, and adware bundles, in an attempt to frame security researchers by claiming they are behind the attack. 

The ransom note, named RESTORE_FILES.txt, appears to be politically motivated to push western nations into assisting Ukraine in their war against Russia and claims to have encrypted the file in protest of the seizure of Crimea. 

The note falsely claims on Twitter that security researcher Hasherazade designed the data wiper, with the help of Vitali Kremez, Michael Gillespie, Lawrence Abrams, MalwareHunterTeam and also asks victims to contact the researchers for the recovery of the files. 

According to Lawrence Abrams of BleepingComputer, none of the researchers mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the data wiper. 

Furthermore, the note does not include any contact details for the original author meaning there’s currently no way of retrieving from an Azov infection and hence the ransomware should be treated as a data wiper for the moment. 

 Modus operandi of Azov wiper

In a new campaign started over the past two days, a hacker reportedly purchased installs via the SmokeLoader malware botnet, normally propagated through websites offering pirated content including game mods, cheats, and key generators, to deliver the data wiper. 

Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer info-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files, Bleeping Computer reported. 

To mitigate the risks, users should immediately change the passwords on their online accounts, especially those sensitive in nature, such as online banking, password managers, and email accounts.