Wanton Wiper Malware and the Weaponization of Legitimate Tools

A bigger threat than ransomware is the re-emergence of malware that destroys sensitive data, says Lotem Finkelstein.

Ransomware has long been viewed as the most potent form of cyberattack, extorting victims to pay millions of dollars in financial demands and harassing organisations or individuals until they pay. In fact, the most expensive cyberattack in history was a ransomware attack. NotPetya cost businesses across the globe an estimated USD 10 billion, shipping giant Maersk said at the time of the 2017 attack it cost them up to USD 300 million alone.

However, if you think ransomware is the biggest threat to your organisation in 2023, it may be time to think again. Yes, ransomware can have catastrophic implications, but there is at least one silver lining to the situation: encrypted files can be retrieved once a compromise has been found.

The same cannot be said for a form of malware that has gained in popularity over the last 12 months – wiper malware. This attack method has one sole objective: to cause maximum disruption and damage. This is a worrying trend considering the rise in state-sponsored cyberattacks and the weaponisation of legitimate tools for malicious purposes.

Does this mean we are likely to see a shift in tactics from bad actors where ransomware is replaced by wiper malware and, as geopolitical tensions increase, could groups turn to these extreme measures to achieve their desired goals?

What is wiper malware and why is it so dangerous? 

What looks like an innocent software update could be a wiper malware payload that destroys vast amounts of sensitive data, bringing an entire government and its infrastructure to its knees. Once viewed as an outdated and old attack method, it has made a comeback in 2022.

Its main goal is to erase all user data on the targeted device or network that cannot be recovered. Wipers are commonly used to destroy the computer networks of organisations or governments, to cover up any trace of a breach and weaken their victim’s ability to respond to the attack.

It is perhaps no coincidence that the rise of wiper malware coincided with Russia’s invasion of Ukraine. There is evidence that it was used to target Ukraine’s satellite communication modems.

While wiper destruction isn’t a new phenomenon, these latest developments show the growth in sophistication of the coding behind it. Further evidence of the evolution was revealed in a report published by Check Point Research in December 2022. The report focused on a previously unknown data wiper, Azov, which experts at Check Point described as “effective, quick and ultimately unrecoverable.”

Unlike its predecessors, Azov is capable of wiping files in blocks of 666 bytes and overwriting them with random data. Moreover, it leaves an identical block of data in its place. As a result, by the end of November 2022, more than 17,000 backdoored executables had been reported, demonstrating the widespread adoption of Azov into the threat landscape.

The weaponisation of legitimate tools and the threat of wiper malware

As cybercriminals continue to develop attack methods, there has been a noticeable increase in the use of legitimate tools for malicious purposes. Today’s cybersecurity solutions have become far more sophisticated, which makes it harder for traditional malware to be installed locally or remotely. So, cybercriminals have turned to mainstream tools as their playground.

Defending against an enemy in disguise is far more difficult than defending against known threats. Part of the appeal of legitimate tools is that they can evade detection through the implementation of malicious techniques and altering code, which means anti-malware solutions are not triggered during an attack.

For example, in December 2020, software provider SolarWinds was the victim of a ransomware attack, which saw hackers utilise the weaponisation of legitimate tools. More than 18,000 workers from companies and government departments fell victim to what they thought was a genuine software update. Bad actors injected a tiny piece of code into the SolarWinds ecosystem and fooled users into downloading what they believed was a straightforward software update. The hack, which was nicknamed Sunburst by researchers, was described as potentially the biggest security threat to Western governments since the Cold War.

Given the scale of the damage caused by the attack, imagine a scenario where the SolarWinds attackers used wiper malware and not ransomware, the outcome would have had catastrophic consequences. It leads to the question, will this act as a blueprint for future activity, especially as cybercriminals move away from using ransomware for financial gain and more for political and social motives?

Will wiper malware continue to be prevalent in 2023?

The re-emergence of wiper malware and the weaponisation of legitimate tools presents security teams with a new set of challenges when it comes to detection, protection, attribution, and further mapping of the cyber landscape. But how do you prepare for any enemy you cannot see and one intent on causing maximum destruction? The best advice I can give is to implement security measures that stop an attack happening before it has a chance to cause disruption or destruction. In this case, prevention is much more effective than finding a cure, once the disease has set in.

Lotem Finkelstein is Director of Threat Intelligence at Check Point Software Technologies.


To Top
Share via
Copy link
Powered by Social Snap