Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer: All of these wiper malwares, and others like them, have a singular purpose of destroying systems and/or data, usually causing great financial and reputational damage to victim companies. However, the threat actors behind this kind of code, whether they’re bent on sending a political message or simply wanting to cover their tracks after data exfiltration, have adopted various techniques to carry out those activities.
Cisco Talos researcher Vitor Ventura, along with contributions from Martin Lee, noted in a report published on Tuesday, that malware with destructive payloads has been around since the early days of virus development. However, the delivery methods and level of destruction of wiper malware have evolved. Damage can range from the overwriting of specific files to the destruction of the entire file system; and the amount of data impacted and the difficulty of the recovery process is a direct consequence of the technique used. In any case, it’s usually a well-crafted code at the root of the bomb.
A Look Inside the Wiper Anatomy
To understand the varying techniques that attackers use, it’s possible to break down a typical wiper according to three targets: files (data), the boot section of the operating system of machines, and backups of system and data. Most wipers target all three.
The activity that takes the longest to perform is the actual file destruction. To be more efficient, wipers rarely overwrite the entire hard disk.
“There are wipers that will create a list of targeted files, and others will list all files in specific folders,” explained Ventura. “Some of them will only rewrite a certain amount of bytes at the beginning of each file [and] they will overwrite the file completely if the files are smaller than that amount. This is just enough to destroy the headers of the files, which renders them useless.”
Other wipers may write a certain amount of bytes in a pattern. For instance, the malware could write 100 kilobytes of data every five megabytes sequentially through the hard disk.
“This means that the wiper will destroy files at random without any predictable pattern,” the researcher said. “Both methods may be followed by the destruction of the master file table, which is where the Windows file system (NTFS for recent versions) keeps records of the file locations and associated metadata.”
This last step makes advanced recovery tools practically impossible to use, due to the lack of information to recover the files.
The boot process and backup destruction meanwhile is a fairly quick process. The boot section can be done in two ways, depending on the purpose, according to Ventura.
“It can simply erase the first 10 sectors of the physical disks (master boot record location), or the malware [like Shamoon] can rewrite these first 10 sectors with a new boot loader that will perform additional damage,” he explained. “Either way, the original operating system becomes unbootable. Usually, along with master boot record destruction, the wipers will also use operating system command-line utilities to destroy the recovery console.”
Backup destruction is commonly done by simply deleting any shadow copies of the data.
“This can be done easily by the execution of some legitimate operating system command-line tools,” Ventura said.
Under the Radar
When it comes to evading detection (until it’s too late), a wiper may use several different techniques.
For instance, a custom bootloader could perform the destruction upon reboot, thus bypassing the operating system protections. However, in the Shamoon attacks, the authors used a trial version of a legitimate driver to get access to the file system, bypassing the operating system API altogether, along with any protections enforced by the operating system. That also allows for the destruction of files while the system is still running.
“Obviously, these techniques require the adequate privilege level and/or operating system,” Ventura said. “That is why some wipers will fall back from one technique to the other depending on the conditions of the victim’s system.”
Yet another tactic, as seen with Olympic Destroyer, is disabling all services on the operating system.
“This alone does not destroy data, but it makes the recovery of the system almost impossible without reinstallation, which creates a service unavailability,” Ventura explained.
In the case of NotPetya, which Ventura called “probably the most devastating cybersecurity incident to be publicly known,” the attackers compromised a supply-chain vendor, M.E.Doc, using the software as a way to execute their own code in their victim’s systems. It also adjusted its destruction mechanisms to the anti-virus software present on the system.
“The attackers had access to their victims’ systems for several months, and their last action was the release of a highly destructive payload with very effective spreading mechanisms,” the researchers said.
Olympic Destroyer went the way of the worm, performing self-replication and lateral movement inside networks.
“The malware will harvest credentials from the system, which are then used to perform remote copy and execution of the wiper, hopping from system to system,” Ventura said, adding that gaining remote execution usually involves the usage of legitimate administration mechanisms such as the psexec tool and the Windows Management Instrumentation command-line utility (WMIC).
Similarly, NotPetya’s spreading mechanism was designed to password-harvest as well as take advantage of legitimate Windows protocols.
“By using legitimate tools and credentials, it was able to mimic business-as-usual behavior and traffic patterns, making detection harder for the defenders,” Ventura noted.
Some of the worms also carry the code to exploit vulnerabilities that allow remote-code execution, when all other means of propagation fail. Black Energy, for example, was suspected of exploiting a patched vulnerability in the Siemens SIMATIC WinCC software.
Sabotage and Terrorism
Unlike malware that holds data for ransom, when a malicious actor decides to use a wiper, there’s often no direct financial motivation. For businesses it can be catastrophic, given that there’s no expectation of data recovery.
Ventura postulated that the goal of the actors is akin to that of a terrorist attack: To sabotage and sow fear, uncertainty and doubt.
“In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate social destabilization while sending a public message, while also destroying all traces of their activities,” he wrote.
While wiper malware can be business-killing, there are steps that companies can take to defend themselves. The way to thwart these attacks often falls back to the basics.
It’s also used after nation-state sponsored cyber-espionage activity, to make attribution and damage assessment difficult or impossible. In the case of Destover, the event horizon was set to occur after the actors, possibly affiliated with the North Korea-linked Lazarus Group, picked the networks of Sony Pictures clean of information.
“By having certain protections in place — a tested cybersecurity incident response plan, a risk-based patch management program, a tested and cybersecurity-aware business continuity plan, and network and user segmentation on top of the regular software security stack — an organization dramatically increases its resilience against these kind of attacks,” said Ventura.