> Five key events have marked the history of Wipers:
2022/2023 - Ukraine, "WhisperGate" "HermeticWiper"
Targets : Ukrainian public organizations
2017- World, "NotPetya"
Targets : large companies in the world (Germany, France, etc.)
2014 - United States, "Destover"
Target: Sony Picture Entertainment
2013 - South Korea, "Dark Seoul"
Targets : Banks and media companies simultaneously
2012 - Middle East, "Shamoon"
Targets :
Hackers are constantly innovating, the threat constantly looms over the entire world.
Let us cite as a reference NotPetya which has caused enormous damage in many countries. The shadow of the Destover malware still looms, boosted by the use of a certificate stolen from the Sony Pictures company, which makes its attacks even more effective…
> Investigator's diary
Clue n°3: Genealogy of the Wipers
• New viral strains born in 2012
• Increasingly frequent use
IV) Wiper operating mode
The attack is divided into 3 stages:
1. Infect
Infect as many machines as possible, using Windows sharing tools and switzerland telegram data exploiting unpatched vulnerabilities. Some Wipers also use fraudulent downloads as a means of distribution.
The creators of the NotPetya malware hacked the homepage of the Ukrainian city of Bakhmut website to trigger the automatic download of a fake Windows update in 2017.
2. Sleep
The malware does not take any action and remains in a lethargic state to avoid arousing suspicion. Like Sleeping Beauty, a trigger will be needed to wake it up.
This trigger must be discreet in order to avoid being detected when the assault command is launched.
3. Destroy “The Final Countdown”
The malware has just received the command to take action.
That’s it for the target operating system. It will no longer boot. His MBR (Master boot record) and MFT (Master File Table) have just been overwritten by malicious scripts.
Files on a system protected by Bitlocker (Windows) or Luks (Linux) can no longer be recovered.
In the absence of a data backup distributed across different geographical sites, the damage to data backup servers and the destruction of workstations can be irreversible.
> Investigator's diary Clue #4
The modus operandi of the crime
• Infect as many machines as possible
• Wait for orders from a hacker
• Launch the destructive attack on the information system.
V) Conclusion of the investigation
Our investigation, now completed, shows that Wipers are devastating weapons.
In the context of current geopolitical tensions, this type of threat must be taken seriously.
There is no doubt that significant measures must be put in place to prevent the use of this type of virus that has the power to paralyze a country.
Faced with a possible total paralysis of an information system, the remedies are limited.
It is advisable to remain vigilant and adopt a distributed data backup to ensure the resilience of the information system.
> To combat Wipers, experts advise:
Protect the machines.
Update components (operating system, software, antivirus, etc.).
Raise awareness among users about hygiene and safety.
Learn how to identify phishing attempts and avoid installing malware.
Protect infrastructure.
Schedule regular disaggregated backups and isolate infected machines.
Organize crisis management.
Be prepared in case of a successful attack.
Having tested your business recovery plan and preparing communication and actions.