Last year witnessed an increase in destructive wiper malware with researchers identifying 12 new variants across the threat landscape in 2022 alone...and there's more to come in 2023!

Wiper malware attacks are particularly dangerous as the primary aim is to permanently delete files found on a victim’s network, thus eliminating the chances of retrieving data back.

Since resurfacing, wiper malware has leveraged multiple techniques that are used to evade detection and analysis.

Many of the wiper malware samples analysed so far have posed as ransomware, meaning they leverage many of the same techniques, but without the possibility of file recovery. These include encrypting files, providing a Bitcoin address for payment, and delivering a ransom note.

However, in reality, a wiper is leveraged with the main aim of simply destroying data using a range of techniques including encrypting files and destroying the key, overwriting the Master Boot Record of the targets disk, overwriting the Master File Table and the use of third-party tooling.

As the Ukrainian counteroffensive progressed, this fueled an increase in wiper malware to destroy data from networks of organisations involved in power generation, water supply, and the transportation of people and goods.

One example is “CaddyWiper”, a variant that was used shortly after the conflict started to erase data and partition information from drives on systems belonging to a small number of Ukrainian organisations.

Other malware wiper families have been discovered also obtaining a Pro-Russian motive, such as HermeticWiper and IsaacWiper.

However, wiper malware attacks have also been observed spilling over and targeting countries outside of Russia and Ukraine.

Although attacks observed so far have been widely used to aid the Russia-Ukraine cyber offensive, it is highly likely there will be an increase in wiper malware attacks throughout 2023 for a range of differing motives due to their newfound popularity.

Motivations could range from financial gain, sabotage, destruction of evidence and the continued cyberwar.

Given the 12 malware families identified this past year, it is almost certain the threat of malware wipers will remain this year.

However, the unexpected surge in this malware makes it more difficult to protect against attacks as there has been limited detections.

There are several best practices that organisations are urged to implement to minimise the impact of wiper malware including sufficient backups, network segmentation and appropriate disaster recovery and incident response plans.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).