What (re)insurers need to know about destructive wiperware

What (re)insurers need to know about destructive wiperware

Cyber (re)insurers need to understand the different kinds of malware out there that could affect their business. Malware is malicious software that threat actors use to compromise their targets. Today, there are myriad types of malware to worry about, ranging from data encrypting ransomware to credential stealing malware, and more. However, one of the most worrying types of malware is known as wiper malware, or wiperware. This type of destructive malware is dangerous, increasingly used in cyber attacks, and linked to the worst cyber catastrophe ever.

In this article, we provide an overview of wiperware — what it is, how it works, the motivations behind its use, and implications for (re)insurers. We also explore a brief history of wiperware, the consequences of using wiperware, and what to expect next from this evolving threat.

Wiperware’s impact on cyber (re)insurance

Wiperware is increasingly used in cyber attacks. In fact, we have seen more wiperware in Ukraine (emanating from Russia) in the last year than the previous ten years combined. In tandem, (re)insurers are paying closer attention to these attacks, and in particular they are weighing the implications of wiperware on modeling catastrophic aggregation risk.

(Re)insurers remember the worst cyber attack ever recorded, known as NotPetya (2017). This cyber attack involved the use of self-propagating wiperware and caused up to $10B in damages globally. (Re)insurers ought to take note that the increased frequency of wiperware attacks normalizes the use of this weapon. Threat actors are also learning from their mistakes and coding increasingly more effective wiperware with each deployment. Leading (re)insurers are utilizing best-in-class cyber risk aggregation tools to model the potential impact of a large-scale wiperware attack on a portfolio of business. The best models will take into account the use of wiperware that targets specific operating systems globally and accounts for cost components.

How wiper malware erases data

A wiper is a type of malware with the sole purpose to erase data from the machines that it infects. There are several ways it wipes out the data. The most simple approach is to overwrite the existing data with something else, such as a sequence of repeating bytes, random data, or something that relates to the motive behind the attack like text or image.

Encrypting and overwriting files

Another approach is encrypting the files the same way ransomware would but destroying the encryption key, making it nearly impossible to decrypt. The wiper can also overwrite the Master Boot Record of the disk. This record tells the computer how to boot the operating system, so if this record is overwritten, the computer won’t start. Similarly, the malware can overwrite the Master File Table, which is responsible for storing information about files and where they are located. In both these cases, most of the data and files remain intact on the disk — it just becomes hard to locate and use these files.

Creating a custom driver

Lastly, while previous techniques would require an attacker to create a custom driver, i.e. low-level software that is responsible for interacting with hardware components to be able to overwrite data on the disk, another common approach to erasing data is employing third-party tools to overwrite the data.

Most commonly, the Windows drivers of off-the-shelf products are used to bypass the protection mechanisms of Windows and manipulate the disks directly. The two most widely-used examples of third-party tools are EldoS RawDisk and EaseUS Partition Master. However, in most sufficiently complex wipers, a combination of the above-mentioned techniques is used to make data recovery harder.

The motives behind using wiper malware

In contrast to ransomware, which encrypts files for financial gain, or spyware, which steals sensitive data to facilitate espionage, the main purpose of wiper malware is plain destruction. It maliciously deletes all the files and programs on the hard drive and moves on to the next system. However, the motives behind deploying the wiper can be fourfold:

1. Short-term financial gain – The wiper disguises itself as ransomware and encrypts all the files with a promise of providing the decryption key upon paying the ransom. In reality, the decryption key is never sent and data is left encrypted and irrecoverable. This is also referred to as “fake ransomware”.
2. Evidence destruction – The wiper malware can be employed as a means of destroying the evidence of a larger cyber attack, such as cyber espionage. Once the main goal has been achieved, the attacker deploys the wiper that erases all the data including the evidence left by the attacker and causes chaos such that the victim focuses on data recovery instead of investigating the intrusion.
3. Sabotage - The wiper can be used to destroy proprietary data, sabotage development, cause financial loss, or just cause disorder.
4. Cyber warfare - Wiper malware can be used as a means of destruction in a cyberwar. In this case, the wiper’s targets are usually related to the critical infrastructure of the opposing country and its goal is to cripple that infrastructure, thus weakening the opponent.

Whatever the motive, the wipers are highly devastating and in the cyber incident response industry, the cyber attacks that employ wiper malware are considered to be one of the most damaging and costly.

The history of data wipers

In order to understand the implications behind deploying wiper malware, it is important to get an overview of past cyber attacks which involved this type of destructive malware.

The first wiper malware is believed to be the Shamoon malware, which was used in a cyber attack against Saudi Arabia's Saudi Aramco and Qatar's RasGas oil companies in 2012. A group named "Cutting Sword of Justice" claimed responsibility for an attack at that time and it was later described as the "biggest hack in history". The Shamoon malware and its upgraded version later reemerged in several other large cyber attacks in 2016, 2017, and 2018 involving other cyber threat actors.

The year of 2012 and the destruction caused by Shamoon signified the start of the wiper malware era. After that, wipers were employed all over the world to sow chaos. Here are some of the most notable ones:
Data wiper timeline image

Let’s dive deeper into NotPetya, a wiper malware that targeted Ukrainian organizations in 2017 — it’s a great example of the implications and consequences that wipers can bring.

NotPetya: a case study

Most of the wipers have an autonomous self-propagation functionality, and NotPetya was, to say the least, no exception. The NotPetya malware was deployed in Ukraine by Russian threat actors as a part of the Russian cyberwar against Ukraine. However, within hours it spread beyond Ukraine and caused worldwide panic. It brought down such behemoths as Merck, Mondelez International, FedEx’s European subsidiary TNT Express and many more, causing overall estimated damage of around $10 billion.

A large Ukrainian bank’s network was taken down in 45 seconds and whole data centers were lost in a matter of minutes — this propagation rate was unprecedented and horrifying. By the time a company noticed it was under attack by NotPetya, it was already too late.

All in all, we can see how easy wipers can spiral out of control and cause tremendous global damage. NotPetya was merely a tool in a cyberwar, however, within hours the havoc and destruction it caused already resonated across the globe leading to unparalleled collateral damage. These kinds of incidents also have huge implications in the cyber insurance industry.

What do we see today?

Today, with the ongoing turmoil we have seen different wiper malware being used in Ukraine since the invasion in February 2022. Nine distinct data wipers were identified: WhisperGate, HermeticWiper, IsaacWiper, DesertBlade, AcidRain, CaddyWiper, DoubleZero, AwfulShred, and SoloShred.

Six of these wipers are targeting Windows machines while the other three are targeting Linux machines (including satellite communication modems), also causing collateral damage. For example, AcidRain was used as a part of the attack against satellite provider Viasat at the start of the invasion. The purpose of the cyber attack was most likely to disable the Ukrainian segment of the Internet, however, it also caused a spillover to other countries and organizations. It prevented communication with 5800 wind turbines operated by Enercon in Germany, rendering them useless, and also caused Internet disruptions in several major countries.

As we can see, the variety of different data wipers has vastly grown during the last few months. It is reasonable to expect that in the future we will encounter many more variants of wiper malware being used as a means in cyber warfare, hacktivism, and sabotage.

What should we expect next?

We should look for nation-state threat actors to continue to compromise targets for intelligence collection, as well as push up against the boundaries of acceptable behavior in cyberspace with the use of wiperware. We should keep a close eye on regional hotbeds of offensive cyber activity to get a sense of how cyber conflicts that involve wiperware can unfold. In particular, Russia vs. Ukraine et al. is under the spotlight.

We can monitor this hotbed of offensive cyber activity for indications that the boundaries of acceptable behavior have been pushed past historic precedent. (Re)insurers can look to this conflict for the type of cyber activity that is indicative of catastrophic risk. For example, the use of wiper malware and attacks on critical infrastructure are playing out in this conflict.

Additionally, cyber conflicts between Israel and Iran, as well as China and Taiwan, are worth watching closely to understand the implications of destructive attacks.

As (re)insurers look to these conflicts and the use of wiperware, they should also turn to world-class cyber risk aggregation modeling solutions to help estimate the potential impact of a large-scale wiperware event on books of business.

If you’d like to learn more about the cyber activity to come and how the right cyber risk analytics solution can identify potential risk aggregation, download our free report — Global Threat Briefing H2 2022.

Global Threat Briefing H2 2022