What are wiper attacks, and should you be worried?

If you have been paying close attention to the war in Ukraine, you may have heard of instances where attackers have targeted computer systems in the country and deleted all the information. They accomplished this my using a relatively simple, and familiar type of malware known as a ‘Wiper.’

What is a Wiper?

Wipers are a type of malware that have been around for a many years and do exactly what the name suggests: wipe data from a system. Attackers who use this type of malware are usually not seeking financial gain as is the case with ransomware, but are usually out to make a political statement, or simply to cause damage to a system, or damage to reputation.

On February 23rd, the intelligence community began observing a new malware sample circulating in Ukrainian organizations called ‘HermeticWiper’, named after the digital certificate that was used to sign the sample. The digital certificate was issued under the company name ‘Hermetica Digital Ltd’, and shows valid as of April 2021.

This wiper was shown to bypass Windows security features and gain write access to many low-level data-structures on the disk. The attackers also fragmented files on the disk and overwrote them to make recovery impossible.

Around the same time, a second Malware was observed, IsaacWiper, again deployed in Ukraine, observed this time with comparatively less success than it’s predecessor, but still with a significant risk. There is little said about the IssacWiper other than it uses the known Isaac algorithm to encrypt data.

Am I at risk?

So now that you have an idea of what wipers are and how they are being used currently in the wild, the next logical question is, will I be affected? The reality is, there is no definitive answer. While it is unlikely at this moment that you will be targeted by the attackers currently using HermeticWiper and IsaacWiper, the threat of wipers in general are ever present.

According to ESET, a Slovak internet security company and one of the firms that detected and first reported on the malware, “At this point, we have no indication that other countries were targeted. However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.”

So unless you work in a Government Agency or some multinational organization that is somehow involved in the conflict, you have little to worry about from the current threat actors who are using the malware, ostensibly to make a political point.

That said, there is always the risk of some script kiddie using other types of wiper malware and and deleting your data, or as in the use case mentioned above, a threat actor executing a wiper on your system after it has been compromised, to conceal their identity/activity.

What can I do to protect myself?

From what we know from previous wiper attacks, purely defensive measures will not work to prevent the attack from occurring. However, there are some steps that you can take to minimize the likelihood of you being caught unaware by this malware. Some solid recommendations include:

1. Regular backups of important data, preferably at an offsite location.
2. Implement response, recovery and business continuity plans which are tested rigorously, and continuously enhanced to match the changing security landscape.
3. Employ user and network segmentation techniques to limit your attack surface. This would include adopting the principle of ‘least privilege’ where a user has only those permissions they need to complete their tasks.
4. Stay up-to-date with the current threats and IOCs (Indicators of Compromise) and take action early to contain and mitigate risks. (In some cases, Wipers are designed to run quietly in the background and their effects are not noticeable until wholesale damage has been done).