Destructive wiper malware has evolved very little since the "Shamoon" virus crippled some 30,000 client and server systems at Saudi Aramco more than 10 years ago. Yet it remains as potent a threat as ever to enterprise organizations, according to a new study.
Max Kersten, a malware analyst at Trellix, recently analyzed more than 20 wiper families that threat actors deployed in various attacks since the beginning of this year — i.e., malware that makes files irrecoverable or destroys whole computer systems. He presented a summary of his findings at the Black Hat Middle East & Africa event on Tuesday during a "Wipermania" session.
A Comparison of Wipers in the Wild
Kersten's analysis included a comparison of the technical aspects of the different wipers in the study, including the parallels and differences between them. For his analysis, Kersten included wipers that threat actors used extensively against Ukrainian targets, especially just before Russia's invasion of the country, as well as more generic wipers in the wild.
His analysis showed the evolution of wipers, since Shamoon, is vastly different from other types of malware tools. Where, for example, the malware that threat actors use in espionage campaigns has become increasingly sophisticated and complex over the years, wipers have evolved very little, even though they remain as destructive as ever. A lot of that has to do with how and why threat actors use them, Kersten tells Dark Reading.
Unlike spyware and other malware for targeted attacks and cyberespionage, adversaries have little incentive to develop new functionality for concealing wipers on a network once they have managed to sneak it on there in the first place. By definition, wipers work to erase or overwrite data on computers and are therefore noisy and easily spotted once launched.
"As the wiper’s behavior needn’t stay unnoticed per se, there is no real incentive for evolvement," Kersten says. It's usually only when malware needs to remain hidden over a prolonged period of time that threat actors develop advanced techniques and carry out thorough testing before deploying their malware.
But wipers needn't be that complex, nor well tested, he notes. For most threat actors using wipers, "the current methods are working and require little to no tweaking, other than the creation of a new wiper to use in a next attack."
Kersten found that a wiper can be as simple as a script to remove all files from the disk, or as complex as a multistage piece of malware which modifies the file system and/or boot records. As such, the time for a malware author to develop a new wiper might range from just a few minutes to a significantly longer period for the more complex wipers, he says.
A Nuanced Threat
Kersten advocates that enterprise security teams keep a few factors in mind when evaluating defenses against wipers. The most important one is to understand the threat actor's goals and objectives. Though wipers and ransomware can both disrupt data availability, ransomware operators tend to be financially motivated, while the goals of an attacker using wiper malware tend to be more nuanced.
Kersten's analysis showed, for instance, that activists and threat actors working in support of strategic nation-state interests were the ones who mainly deployed wipers in cyberattacks this year. In many of the attacks, threat actors targeted organizations in Ukraine, particularly in the period just prior to Russia invasion of the country in February.
Examples of wipers that threat actors used in these campaigns included WhisperGate and HermeticWiper, both of which masqueraded as ransomware but actually damaged the Master Boot Record (MBR) on Windows systems and rendered them inoperable.
Other wipers that attackers deployed against targets in Ukraine this year include RURansom, IsaacWiper and CaddyWiper, a tool that Russia's infamous Sandworm group attempted to deploy on Windows systems associated with Ukraine's power grid. In many of these attacks, the threat actors that actually carried them out appear to have sourced the wipers from different authors.
Another factor that security responders need to keep in mind is that wipers don't always delete files from the target system; sometimes wipers can cripple a target system by overwriting files as well. This can make a difference when attempting to recover files following a wiper attack.
"Deleting a file often leaves the file on the disk as-is while marking the size as free-to-use for new write operations," Kersten wrote in a blog post on his research, released in tandem with his Black Hat talk on Nov. 15. This makes it possible to recover files in many instances, he said.
When a wiper tool corrupts files by overwriting them, the files can be harder to recover. In the blog post, Kersten pointed to the WhisperGate wiper, which corrupted files by repeatedly overwriting the first megabyte of each file with 0xCC. Other wipers like RURansom use a random encryption key for each file while some wipers overwrite files with copies of the malware itself. In such instances, the files can remain unusable.
The main takeaway is that organizations need to prepare for wipers in much the same way as they prepare for ransomware infections, Kersten says. This includes having backups in place for all critical data and testing recovery processes often and at scale.
"Nearly every wiper is able to corrupt a system until the point that either all files are lost or the machine wont function properly anymore.," he notes. "Since wipers are easy to build, attackers can build a new one daily if needed."
So, the focus for organizations be on the adversary’s tactics, techniques, and procedures (TTPs) — such as lateral movement — rather than the malware itself.
"It’s better to brace for impact [from a wiper attack] when there is none," Kersten says, "than to be struck with full force without prior notice."