Shamoon, Black Energy, Destover, ExPetr/Not Petya, and Olympic Destroyer: All of these Wiper malware, and others like them, have a singular purpose of destroying systems and / or data, usually causing great financial and reputational damage to the victim companies.
However, the threat actors behind this type of code, whether they are determined to send a political message or simply want to cover their tracks after data extraction, have adopted various techniques to carry out those activities.
Payload malware has been around since the early days of virus development. However, the delivery methods and level of destruction of wiper malware have evolved.
The damage can range from overwriting specific files to destroying the entire file system.
And the amount of data affected and the difficulty of the recovery process is a direct consequence of the technique used.
How Does a Wiper Malware Work (Anatomy)
To understand the various techniques that attackers use, it is possible to break down a typical cleaner according to three objectives:
- Files (data)
- The boot section of the machines operating system
- System and data backups.
Most Wipers target all three.
The activity that takes the most time to complete is the actual destruction of the file.
To be more efficient, cleaners rarely overwrite the entire hard drive.
There are cleaners that will create a list of specific files, and others list all files in specific folders.
Some of them only rewrite a certain number of bytes at the beginning of each file and will completely overwrite the file if the files are smaller than that amount.
This is enough to destroy the file headers, rendering them useless.
Other cleaners can write a certain number of bytes to a pattern. For example, malware could write 100 kilobytes of data every five megabytes sequentially through the hard drive.
This means that the cleaner will randomly destroy files without any predictable patterns.
This last step makes advanced recovery tools practically impossible to use, due to lack of information to recover files. Meanwhile, the process of booting and destroying the backup is a fairly quick process.
Either way, the original operating system cannot be started. Typically, along with destroying the master boot record, the cleaners will also use operating system command-line utilities to destroy the recovery console.
Destruction of the backup is commonly done simply by deleting snapshots of the data. When it comes to evading detection (until it’s too late), a cleaner can use several different techniques. For example, a custom boot loader could destroy on reboot, thereby bypassing operating system protections.
However, in the Shamoon attacks, the perpetrators used a trial version of a legitimate driver to gain access to the file system, bypassing the operating system API entirely, along with any protection imposed by the operating system.
That also allows for file destruction while the system is still running. These techniques require the appropriate privilege level and the operating system.
That is why some cleaners will regress from one technique to another depending on the conditions of the victim’s system.
Another tactic, as seen with Olympic Destroyer, is to disable all services in the operating system. This tactic does not destroy data on its own, but makes system recovery virtually impossible without reinstalling it, resulting in service unavailability.
Olympic Destroyer followed the worm’s path, performing self-replicating and lateral movements within the nets. Some of the worms also carry the code to exploit vulnerabilities that allow remote code execution, when all other means of propagation fail.
Black Energy, for example, was suspected of exploiting a patched vulnerability in Siemens SIMATIC WinCC software.
The objective of the actors is similar to that of a terrorist attack: to sabotage and sow fear, uncertainty and doubt.
In the past, cybercriminals have used wiper malware attacks with a double objective: to generate social destabilization while sending a public message and to destroy all traces of their activities.
While Wiper malware can be deadly, there are companies that can take steps to defend themselves.
The way to thwart these attacks often goes to the basics.
How to Reduce Damages from Wiper Malware
Companies can increase their resistance to these types of attacks by implementing certain protections.
We are going to analyze each of these protection measures:
- Proven Cybersecurity Incident Response Plan: The quick answer is all about knowing what to do, and that’s where CSIRPs come in. The CSIRP must have a clear definition of roles and responsibilities. They cannot be limited to the cybersecurity department, or even the IT department. Everyone in the organization needs to know their role, and what kind of decisions are expected of them.
- Risk-based patch management program: It is important to reduce a company’s attack surface by keeping all software up to date. However, software patching can be problematic, which is why IT departments must carefully weigh the risk of being vulnerable against the risk of affecting business.
- Cybersecurity aware and proven business continuity plan: It is crucial to include recovery from wiper attacks in your continuity planning, in particular, protecting your organization’s backup infrastructure. To achieve this, you need to run backup software on non-Windows systems; segment the backup network; and use different usernames and passwords.
- Network & User Segmentation on Top Regular Software Security Stack: One of the most important aspects of damage mitigation is network segregation, which is neither simple nor easy to achieve. Intent-based networking can make this task much easier and faster. Even if network segregation is not enforced during normal business operations, having the ability to perform emergency segregation can make the difference between an attack that has a severe business impact or just a minor disruption.
Wiper-style attacks are rare today, as the main focus of malware is financial gain.
The danger comes from coupling Wiper-style attacks with the fact that more and more critical infrastructure weaknesses are discovered every day.
We estimate that Wiper attacks will continue and may become even more popular in the near future, as a means of attacking critical infrastructure at precise times, to cause widespread damage.
But you don’t have to be a victim of it and risk your business in the process.