background image


How Does Wiper Malware Work?


Malware is software created with malicious intent to harm an enterprise or individual. Most recently, Russia used wiper malware to wreak havoc on the Ukrainian government and banking websites. Unlike a ransomware attack, which seeks to gain monetary benefits by holding an organization’s data to ransom, wiper malware aims at damaging and wiping out its target’s information assets.

What is wiper malware and how does it work?

The wiper is a class of malware that has the goal to wipe out or destroy data in order to prevent any recovery options from working. Wiper malware works by targeting and infecting important system files that are required for the proper functioning of the computer. It then overwrites these files with corrupt data or simply deletes them, rendering the system inoperable. In some cases, wiper malware can also encrypt data making it unrecoverable.

Wiper malware is not a new concept. In 2012, Shamoon – a wiper malware specifically designed to target the energy sector – was used in an attack against Saudi Aramco. The virus managed to infect over 30,000 workstations and servers in just two days, rendering them useless. All data stored on the machines’ hard drives was overwritten with an image of a burning US flag.

Here are some of the most damaging variants of Wiper malware:

  • Caddywiper

  • NotPetya

  • Skywiper

  • Meteor

  • Hermetic wiper

  • WhisperGate

Techniques used to deploy wiper malware

Cybercriminals use different techniques to deploy and detonate wiper malware. Some use emails and political posts, while others employ actionable links or messages. A deeper analysis of a wiper malware’s mode of operation reveals it targets three chief elements of its target:

  1. All the files or the data that a system has

  2. The boot sector of the OS & backup mechanisms

  3. Temporary files of the system associated with the data

This malware, however, does not overwrite the entire disk drive, as it is a time-intensive job. Instead, it targets specific files to either damage or encrypt. The encryption created by the wiper malware is keyless, meaning there is no decryption key for undoing the malware’s handiwork. 

Once the data deletion starts, the wiper explicitly targets the system recovery files to exterminate them permanently, thus denying users any opportunity to recover their data. As data loss is quantifiable, security professionals can easily detect the presence of a wiper in case there is any unaccounted data loss. 

Well-known examples

Over the past decade, it has affected various organizations and countries across the globe. Here are some of the most infamous attacks: 

  • NotPetya: This malware was unleashed in June 2017 and primarily targeted Ukraine. This malware cost USD10 billion in damages to multinational companies.This variant is unique in that it masquerades as ransomware. However, by holding a company’s data to ransom, it buys itself time to wipe out all data.

  • Shamoon: From 2012 to 2016, this wiper malware targeted Saudi Aramco and various other Middle East oil companies. It damaged more than thirty thousand hard drives through a direct drive accessing driver named RawDisk.

  • ZeroCleare: This wiper variant came into the picture in 2019 when it infamously attacked various energy factories and firms in the Middle East. It specifically overwrote MBR and disk partitions on Windows systems through EldoS RawDisk.

Preventing wiper malware attacks

The best defense against wiper malware is to have a comprehensive backup and disaster recovery plan in place. This will ensure that if your systems are wiped out, you can quickly restore them from backups. Additionally, you should also implement security measures such as endpoint detection and response (EDR) to detect and stop these attacks before they can do any damage.


If a system becomes the target of wiper attacks, it won't be a covert incident like spyware or other Trojans. The network and system monitoring team will see malicious changes in the system's behaviour and observe a massive deletion of files. Data backup to another location without internet connectivity or other explicit connection is the only way to tackle such attacks.

Contact the Packetlabs team to discuss solutions to help protect you from damaging wiper malware attacks.