How Malware Works and Recent Examples

How Malware Works and Recent Examples

For those who still think that ransomware atackst are the most malicious of all cyberattacks, it should be noted that the recent changes made due to wiper malware have made this threat more dangerous. With ransomware, one can at least retrieve the encrypted file after negotiations. However, the primary objective of wiper is to cause as much damage as possible rather than being satisfied with stealing money. The recent example of wiper malware was the damage caused by Russia on the Ukrainian government and banking websites.

How does Wiper Malware Work?

There are several wipers, and they have their own way of working. However, the wiper malware mostly focuses on files, the system boot section, and the backup.

Files

It may consume lot of time to overwrite or delete all the files on a disk. To avoid wasting time, most wipers don’t overwrite total disk drives but write small amounts of data randomly at specific intervals to destroy the files. Generally, the wiper focuses on the files for essential system recovery tools initially to ensure as much damage is inflicted and no option for recovery remains.
Attackers may also make stored data irrecoverable by encrypting files through keyless encryption techniques. Here there is no decryption key for reversing the encryption.

Boot Section

Wiper malware’s objective is to make the data irrecoverable; hence it attempts to eliminate the data from the physical level of the disk. The most powerful way to eliminate the data is by overwriting the particular physical location with other data. Since this process can be time-consuming due to writing to disk multiple Gigabytes of data, several wipers initially destroy two special files in the system namely the Master Boot Record (MBR) and the Master File Table (MFT) in addition to destroying the data.

The MBR is utilized during the boot process to identify where the Operative System is stored in the disk. When the MBR is replaced, the boot process crashes, thereby rendering the files inaccessible unless forensic techniques are used.

The MFT is present on every NTFS file system. This is essentially a catalog of all the files that are present on the file system, their metadata, and either the file content or the place where the content is stored. Once the MFT is corrupted, the operating system cannot locate the files. Wiper malware uses this technique to quickly make the files disappear.

Backups

Various wiper variants are framed to prevent file restoration efforts by even inflicting damage to backup processes and systems. Besides targeting the files and the boot section and causing as much damage as it can, wiper malware also damages those elements in the operating system that may be able to assist in restoring the damaged files. Wiper malware generally actively searches for backups on the machine including volume shadow copies for carrying out damage. It also destroys the Windows Recovery Console by utilizing system command-line utilities. The main idea behind focusing on backup is to ensure that victims can never recover any of the destroyed data.

Recent Significant Wiper Malware Examples

WhisperGate

WhisperGate is a wiper-like worm that targeted several industries of Ukraine, comprising government, non-profit, and IT organizations.

HermeticWiper

HermeticWiper is a data-wiping malware and has impacted machines and Ukrainian networks. One of the damaging procedures of this wiper malware is the ability to rewrite fragments on the disc to render the recovery process impossible.

IsaacWiper

IsaacWiper overwrites all physical data and logical volumes found on a victim’s machine. It was used against a Ukrainian government network after Russia invaded Ukraine.

CaddyWiper

CaddyWiper is the fourth wiper found attacking Ukrainian targets. CaddyWiper avoids damaging data on domain controllers meaning that attackers wish to keep their access inside the organizations.

AcidRain

AcidRain wiper hits routers and modems, and it was deployed to target the KA-SAT satellite broadband service to cripple SATCOM modems.

As far as wiper malware is concerned, victims not only encounter data and financial loss but also face the consequences of a damaged business reputation. There are multiple best practices organizations can deploy to mitigate the impact of wiper malware. Frequent backups with a well-defined procedure for recoverability are needed to respond to and recover from attacks. Segmenting networks logically to minimize impact and the diffusion of spread is also helpful. As soon as a wiper malware starts attacking the network, the organization should be well-prepared for such a situation. The mode of communication of the incident should be well-contemplated before a wiper malware attack. Moreover, endpoint detection and response should also be considered to stop such attacks before they can lead to any damage.