Wiper malware: destroying not blackmailing

22. September, 2022

A new relevant threat has appeared in the threat landscape: In addition to IoT-Botnets the use of wiper malware has increased significantly in 2022. [1]

What is Wiper malware and how can you recognise it?

At first glance, Wiper malware shows similarities with ransomware. However, the purpose is different. Wiper attacks do not aim at ransom, but solely at destroying data and IT systems as permanently as possible. Inexplicable data losses are therefore a possible indication of wiper malware in the system.

Wiper malware overwrites, deletes or encrypts relevant system components, data or files for system recovery in order to render devices or the entire company IT inoperable and data unusable. Some variants do not simply delete the data, but deliberately provide false information, e.g. to make backups useless in the long term or to damage physical systems. Only in the course of restoration does it become apparent that the backups are worthless.

Who uses wiper malware?

Wiper malware can be used by professional cybercriminals to cover their tracks after extracting information from a network. No less realistic are targeted attacks to achieve a full breakdown of IT systems. The consequences range from data loss and the destruction of physical components to the endangering of human lives.

Even the first virus variants in circulation often had the side effect of rendering systems unusable after some time. In most cases, the effect was limited to the locally infected computer. Today, due to the networking of computers and systems and targeted functions of the malware, the effects are more far-reaching. In 2017, NotPetya exploited a recent vulnerability in Microsoft, quickly spreading beyond its original targets in Ukraine to the rest of the world. It crippled some of the largest companies and caused an estimated $10 billion in total damage, making it the most financially damaging cyberattack to date.

NotPetya and other successful Wiper variants

NotPetya, one of the most prominent examples of wiper malware, deliberately disguised itself as ransomware only to gain more time to delete data through the diversionary tactic. Shamoon and ZeroCleare made a name for themselves in the industry a few years ago by destroying hard drives or hard drive partitions and master boot records. [2]

NotPetya also owed its lasting effect to the targeted compromise of Microsoft’s directory service, Active Directory. Such distributed systems are often mistakenly considered “redundant” because the function is provided by several servers. However, data that is rendered unusable is immediately replicated. If the service is massively compromised, weaknesses in the necessary backup and recovery strategy become apparent. It is important not only to recognise the failure of a system, but also at what point data has been intentionally manipulated in order to then enable a recovery. [3]

What protective measures work against Wiper malware?

Aggressive malware can attack not only software and data, but also hardware in the form of BIOS and firmware vulnerabilities and render them unusable in the long term. [4] Therefore, consider both levels in a disaster recovery plan to allow at least initial emergency operation. In the process, keep in mind which failures and data losses are still acceptable and what dependencies exist on these systems.

In addition to replacement hardware for the most important components, the rapid availability of cloud services for additional backups and recovery options can also be a useful addition. However, it must be ensured that these contingency plans work in the event of a failure and that important parameters in the environments have not changed in the meantime.

Checklist for basic prevention measures:

  • Create multi-level and geographically separated online and offline backups that are regularly checked for correct recoverability. Using different operators can maximise resilience.
  • Identify the most important components and functions in your IT environment and segment networks.
  • Use anti-virus solutions, EDR and email security to secure gateways and detect malware on the network.
  • Train employees regularly and increase cyber security awareness by providing information on current threats and risks.
  • Review system logs and networks to identify anomalies and correlate events.
  • Use cyber threat intelligence to assess, rank and respond to security incidents and anomalies.
  • Create an incident response plan to respond effectively in the event of security incidents.

Learnings for prevention and response to wiper attacks

Wiper malware is particularly destructive. Unlike ransomware, there is no possibility of recovery after data encryption. Wiper malware can cause lasting damage to organisations by compromising systems and destroying valuable data and equipment. Controlled multi-level data protection with off-site storage, along with a plan to restore systems, is the only way to defend against such attacks. Network monitoring can help detect attacks early, effective incident response management can help stop them quickly and prevent major data loss.

In all measures, pay attention to regular practice and verification in order to detect possible problems in the defence and recovery concept in good time.

This might also interest you:

How to protect from the BlackCat Ransomware
Data recovery after Ransomware DeadBolt


[1] https://www.nozominetworks.com/press-release/nozomi-networks-labs-report-wipers-and-iot-botnets-dominate-the-threat-landscape-manufacturing-and-energy-at-highest-risk/
[2] https://www.packetlabs.net/posts/how-does-wiper-malware-work/
[3] https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/
[4] https://news.cnrs.fr/articles/when-cyber-attacks-target-hardware

Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500


Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download