Gangs that don’t want your money – just to erase all your data
As if ransomware groups extorting cryptocurrency out of hapless businesses weren’t enough, a new more vicious breed of malware has come to light – one which permanently wipes all the victim’s data, regardless of any payout.
Cybersecurity analyst Fortinet has highlighted the growing use of wiper malware, in the context of escalating cyber hostilities since Russia’s invasion of Ukraine.
“In parallel with the war, cybersecurity researchers have witnessed a sudden increase in the number of wiper malware deployments,” said Fortinet. “Although these haven't been officially attributed to Russian state-sponsored threat actors, their goals align with the Russian military's. It is widely theorized that these cyberattacks are intentionally being launched in concert with the invasion.”
Wiper malware is defined as a malicious program that seeks to erase or destroy all data kept on a computer hard disk. The earliest example cited by Fortinet was Shamoon, used in 2012 to attack the Aramco and RasGas oil companies in the Middle East. Attributed by Fortinet to a hacker group known as Cutting Sword Of Justice, the attack took out 30,000 computers.
Alarmingly, the number of such recorded attacks has increased drastically this year, bearing out Fortinet’s theory that wiper malware is being used in tandem with Russia’s invasion, as part of a widening cyberwar. WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, DoupleZero, AcidRain, and CaddyWiper were all deployed against Ukrainian institutions in 2022, according to Fortinet.
“Seven different wiper malware attacks have been discovered targeting Ukrainian infrastructure or companies – all clearly in line with Russia's interest in the war,” said Fortinet. “Generally, wiper operations in this category attack targets whose destruction is in the interest of the opposing military.”
“The motivation behind such an attack might be to cripple critical infrastructure. This could be done to either cause chaos and increase mental stress on the enemy, or to cause destruction [of] a tactical target.”
It cited the most recent attack, against the Viasat broadband service provider, as an example both of Russia’s intentions in Ukraine, and how such cyber assaults could have a spillover effect on other countries not initially targeted.
“The attacker gained access to the management infrastructure of the provider to deploy AcidRain on modems used in Ukraine,” said Fortinet. “The attack also rendered 5,800 wind turbines inaccessible in Germany.”
Threats old and new
In light of the apparent rise in full-scale wiper attacks, Fortinet has doubled down on its recommendations that organizations keep comprehensive data backups, and have a clear plan for how to implement restoration in the event of a breach.
It also warned organizations to remain alert to established wiper threats such as NotPetya, which began in 2017 as a malware attack aimed at Ukraine, but quickly spread to infect other countries, thanks to a self-replicating feature that saw computer networks crippled worldwide.
“There is still a lot of NotPetya detection, which can be explained by the fact that it is a ‘worm’ – so as long as there are vulnerable machines out there, it will keep self-propagating,” said Fortinet.
Together with the latest versions of wiper malware detected in recent weeks, this adds up to a potentially formidable threat to organizations across the world: “the war-specific new wipers appeared in March and increased the numbers significantly.”
Commenting on the report’s findings, Aamir Lakhani of Fortinet’s research department FortiGuard Labs warned that the financial and healthcare sectors would be high on the list of targets along with government institutions – and suggested that other industries could also become a prime focus for wiper attacks further down the line.
“The loss of data could translate into an immediate macro effect on these businesses,” he said. “Wipers are still a relatively new technique, and as attackers determine their success by using them there could be a change in behavior on how they are used by threat actors.”
More from Cybernews:
Subscribe to our newsletter