The article surveys more than twenty wiper families, examining trends, techniques, overlaps, and how actors—from activists to nation-states—use destructive software in 2022. It also discusses defense tips and the complexities of attribution, highlighting how wipers can be effective regardless of attacker skill. #HermeticWiper #Shamoon #Ukraine #WhisperGate #RURansom
Keypoints
- analyzes over twenty wiper families, noting trends, techniques, and overlaps while cautioning against over-attribution from shared code
- documents that wipers were used beyond Ukrainian victims, including Linux/Solaris targets and activist messages
- highlights HermeticWiper and RURansom as examples showing advanced file-system manipulation (NTFS parsing) and selective spreading logic
- identifies delivery methods such as manual execution, scheduled tasks, and worm-like network spreading to multiple devices
- explains how benign drivers have been used to obscure detection (e.g., Shamoon and HermeticWiper)
- discusses impact factors like backup restoration speed, drive targeting, and the broader implications for downtime and recovery
- argues that attribution is difficult because actors may outsource development or reuse code, complicating source-based conclusions
MITRE Techniques
- [T1053.005] Scheduled Task – HermeticWiper executed via a scheduled task on victim devices. [ ‘The HermeticWiper has been executed via a scheduled task on the victimized devices.’ ]
- [T1021.001] Remote Services – A worm-like spreading mechanism to execute the wiper on all devices it can connect to. [ ‘a worm-like spreading mechanism to execute the wiper on all devices it can connect to.’ ]
- [T1218] Signed Binary Proxy Execution – Benign driver usage to manipulate the file system, complicating detection. [ ‘The Shamoon wiper used a benign driver… difficult to heuristically define the software as malicious.’ ]
- [T1485] Data Destruction – Wipers destroy data by overwriting or deleting; e.g., destruction of the file system and targeted overwrites. [ ‘The destruction of the file system, rather than files within the file system, makes it harder to simply restore some files to repair the victimized machine.’ ]
- [T1490] Inhibit System Recovery – Backup and restoration impact, with potential slowdowns and targeting of backups. [ ‘restoration speed can be too slow, especially when people work from home…’ ]
- [T1485] Data Destruction – Specific overwrite behaviors such as WhisperGate overwriting the first megabyte of each file with 0xCC. [ ‘The WhisperGate wiper… overwriting the first megabyte of each file with 0xCC.’ ]
Indicators of Compromise
- [SHA-256] – sample hashes for wiper families – HermeticWiper: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591, and dnWipe: 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008
- [SHA-1] – sample hashes – HermeticWiper: 61b25d11392172e587d8da3045812a66c3385451, and RURansom: a30bf5d046b6255fa2c4b029abbcf734824a7f15
- [MD5] – sample hashes – HermeticWiper: 3f4a16b29f2f0532b7ce3e7656799125, and WhisperGate: 343fcded2aaf874342c557d3d5e5870d
- [File/Process Name] – wiper sample names – HermeticWiper, WhisperGate wiper
- [Sample Name] – wiper families – RURansom, CaddyWiper II