words Al Woods
The cybersecurity threat landscape has grown dramatically, and organizations can fall prey to a wide variety of attacks. However, some types of attacks catch the public eye and gain much more attention than others.
Ransomware is a good example of this. The amount of damage that a ransomware infection can cause is significant, and a well-designed ransomware variant can create a feeling of helplessness within the victim and force the hard choice between paying the ransom and giving up all of the data that was lost during the attack.
However, ransomware is not the most destructive type of malware in existence. While not new, wiper malware is becoming a more commonly-used tool in nation-state attackers’ arsenals. The destructive power of a wiper malware infection surpasses that of ransomware and makes deploying the appropriate security controls and defenses even more important for all organizations.
A Brief Introduction to Ransomware
Ransomware has become the bogeyman of the cybersecurity world as increasing numbers of organizations have been targeted and exploited by ransomware attackers. Ransomware is such an effective threat to organizations and a lucrative tool for hackers due to its simplicity and direct monetization.
Ransomware works by infecting a user’s computer and then encrypting certain files on it. The most effective ransomware variants are careful to ensure that they do not make the system unstable since an unbootable system may be unrecoverable and the attackers are unlikely to be paid. This encryption process only requires built-in functionality of the operating system, making it easy to implement.
Ransomware is such an effective threat to organizations since many organizations have not implemented the appropriate measures to protect against it. If an organization has the defenses in place to detect and remove the ransomware before encryption occurs or has a backup solution capable of restoring lost files, then the ransomware has minimal impact. Lacking these, the company must either write off the lost files, pay the ransom, or hope for the release of a free decryptor.
Ransomware vs. Wiper Malware
Wiper malware is a related but more significant threat than ransomware. While both ransomware and wiper malware are designed to deny the victim access to their files, ransomware has the ability to give that access back if the victim pays the ransom.
Wiper malware, on the other hand, is designed to destroy the files on the computer permanently. This can be accomplished either by deleting them or by masquerading as ransomware and encrypting them.
NotPetya is an example of a wiper malware masquerading as ransomware. The malware asked for a ransom and pretended that the authors would be able to restore the lost files if the ransom was paid. However, analysis of the NotPetya source code demonstrated that the attackers never had the necessary decryption key. Like many ransomware variants, NotPetya displayed information that purported to be the necessary key that the attacker could decrypt. In reality, the encrypted value would just decrypt to a useless random number.
While many security professionals and other officials encourage ransomware victims not to pay the ransom since it encourages and enables attackers to perform future attacks, some victims do choose to pay. If an organization chooses to pay a ransom, they are much better off with a ransomware attack than a wiper one since there is at least a chance that they will get their data back.
The Growing Wiper Threat
While ransomware attacks have become less common, they are still the costliest type of malware in operation. Instead of attempting to collect a large number of small ransom payments, ransomware attackers have launched more targeted attacks, attempting to gain large payoff through exploitation of cities, governments, and other large institutions.
A recent report by Europol points to a potential rise in the number of wiper malware attacks in the near future. In general, wiper malware attacks like NotPetya and GermanWiper have been launched by nation-states and targeted at other nation-states. For example, NotPetya was intended to target the Ukraine but the attackers lost control and the malware spread globally. The use of the GermanWiper malware was targeted at Germany.
Wiper malware is primarily designed for sabotage, not for financial gain (though wiper malware masquerading as ransomware may result in ransom payments). A pivot toward the use of wiper malware in attacks can have significant impacts since the victims of this type of malware typically need to completely rebuild targeted systems and have no way of retrieving lost information unless they possess offline backups.
Protecting Against Ransomware and Wiper Malware
One of the advantages of the similarity between ransomware and wiper malware is the fact that they have many of the same, unusual characteristics. In order to do their jobs, they need the ability to access and modify large numbers of files on a computer in a very short window of time.
This sort of behavior is not normal for most applications on a computer, making it possible to detect and remediate a ransomware infection if it is caught early enough in the encryption process. Some file security solutions have the ability to monitor for suspicious access behavior like that demonstrated by ransomware and wiper malware and take automatic action. Deploying such a solution could mean the difference between a loss of valuable data and a non-event in the case where an organization is targeted by a ransomware or wiper malware attack.