The cyber security landscape has been for years dominated by the ransomware phenomenon. But one of the most significant developments of 2022 has been the surge in wiper malware, malicious code that goes beyond simply stealing data and information, but completely erases it, making recovery impossible.
This type of malware has been used by both Russia and Ukraine in their ongoing cyberwar against one another. In addition, the amount of money paid to ransomware attackers dropped significantly in 2022, as companies began to refused to pay out any ransom. Does it means a weak signals of cybercriminal market change ? Will cybercriminal shift their criminal business model to go for more lucrative malware campaign?
This article will look at wiper malware and its use in the cyberwar between Russia and Ukraine, including a look at the new CryWiper ransomware that was discovered by researchers in December 2022. It will also explore the impact this type of malware has had on governments and businesses, as well as the measures they are taking to protect themselves against this increasingly sophisticated threat.
Finally, it will examine the implications on the general cybercriminal business model to try to figure if gratuitous wiper attack will supplant financially motivated ransomware attacks.
1. Introduction to Wiper Malware
Wiper malware is a type of malicious code that is specifically designed to completely erase data, making it irrecoverable. Unlike ransomware, which simply encrypts data and demands a payment for its release, wiper malware completely erases data, making it impossible to retrieve.
While not very common in cybercrime campaign, as it is more difficult to monetize in regards to ransomware, this type of attacks surge in light of the geopolitical context.
1.1 – What is Wiper Malware and What Does it Do?
The first wiper malware was discovered in 2012 and known as Shamoon. It targeted the energy sector, with attacks on Saudi Aramco, RasGas, and other companies in the Middle East. This malware was believed to have been created by a nation state and caused considerable damage to these organizations, with hundreds of thousands of computers being wiped clean.
Since then, wiper malware has become increasingly sophisticated, with new variants being discovered on a regular basis. They have been used in targeted attacks on organizations around the world, as well as in the ongoing cyberwar between Russia and Ukraine. In particular, this type of malware has been used with increasing frequency in 2021 and 2022, surging by 500%.
1.2 – How Wiper Malware is Used in the war Between Russia and Ukraine
The cyberwar between Russia and Ukraine has been ongoing since 2014, when Russian forces invaded and annexed the Crimea region. This conflict has been characterized by a continual series of cyberattacks and counterattacks, with both sides utilizing any means of cyberwarfare available.
In particular, wiper malware has been used with increasing frequency in 2021 and 2022, with both sides utilizing the destructive power of this type of malicious code. In 2015, Ukraine was targeted by the Blackenergy cyber sabotage campaign, which used a sophisticated wiper malware to target the Ukrainian power grid, resulting in a widespread blackout in the Ivano-Frankivsk region.
At the same time, the Ukrainian government has been increasingly aggressive in its cyber defense efforts, responding to Russian attacks with offensive cyber operations of its own. The increased use of wiper malware in this conflict has significant implications for global security. It shows the willingness of both sides to use whatever tools are available to damage each other’s systems, and demonstrates the effectiveness of this type of malware in wreaking destruction on a large scale. It also highlights the need for governments and businesses to invest in robust cyber defense measures.
1.3 – The Impact of Wiper Malware on Governments and Businesses
The increased use of wiper malware in the ongoing cyberwar between Russia and Ukraine has already had a significant impact on governments and businesses, particularly in 2022 and expectingly 2023.
The destructive power of wiper malware gives it the potential to cause significant disruption to any organization that is targeted, as demonstrated by the 2015 Blackenergy cyber sabotage campaign. Governments and businesses must therefore take action to protect themselves from this type of attack, particularly as the Russian and Ukrainian conflict escalates.
Organizations should also take steps to ensure they are prepared in the event that they are targeted by wiper malware, as the damage caused by such an attack can be devastating. This includes creating backups of important data, as well as developing cyber defense measures that can mitigate the effects of a successful attack.
Governments and businesses should also work together to address the threat posed by wiper malware, as the increased use of this type of malware in the ongoing conflict between Russia and Ukraine demonstrates that cooperation is essential in order to prevent such attacks from having a devastating effect. Indeed, an organization may not be targeted by the wiper, but its electricity supplier does, disrupting the whole supply chain.
2. The case of the CryWiper fake Ransomware
Some of the most notable wipers that appeared in 2022 include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom. CryWiper shares ressemblance with IsaacWiper. They both share an unsual algorithm for generating pseudo-random numbers.
2.1 – What is CryWiper and How Does it Work?
During the autumn of 2022, Kaspersky identified endeavors by a mysterious Trojan, named CryWiper. The malicious software was targeting organizationsin Russia. After going through the malware sample, they concluded that the Trojan was pretending to be an encryption tool and requesting money from the victim to “decrypt” the data. In fact, the malware was not encrypting anything; it was deliberately destroying the data on the victim’s system. Furthermore, the review of the Trojan’s code made it evident that this was not a mistake of the creator but its deliberate purpose.
The primary purpose of CryWiper is to destroy or disable targeted systems and networks, making them temporarily or permanently unusable. It does this by overwriting the contents of the targeted system’s hard drive and deleting essential files, as well as by disabling software and other components. CryWiper is particularly insidious because it is designed to be difficult to detect and identify. It is capable of disguising itself as legitimate software, and is also designed to delete itself after completion, making it even harder to trace.
2.2 – CryWiper Attribution and Lineage
CryWiper is a unique malware with regards to its code and purpose, and it is unrelated to any other family. This malware utilizes the Mersenne Twister to generate random values, which is not a typical feature among wipers. Interestingly, the usage of the Mersenne Twister is also found in IsaaсWiper, which is the only well-known wiper that uses this algorithm.
No one is offering strong attribution, but the choice of targets would seem to point, circumstantially, to Ukrainian cyber operations. IsaaсWiper, targeted organizations in Ukraine. The hypothesis could be that Ukraine-sponsored security professionals perform an incident response, during which IsaacWiper was found and reverse engineered it. The malware analysis was then weaponized to turn the piece of code against its alledged perpetrator : the Federation of Russia.
Both Russia and Ukraine launch malware at each other, directly and indirectly, by proxy, using digital hacktivist. Giving a strong attribution is only in the hand of intelligence services and governments.
3. The Impact of Wiper Malware on the Cybercriminal Business Model
Wiper malware were generally used in cybersabotage and cyberespionnage operation, not in cybercriminal campaign. With the 50% drop in ransomware payement, are we in the verge of a cybercriminal market shift and could wiper malware offers new opportunities of monetization.
3.1 – The Shift Away from Ransomware
Ransomware has been a major security concern for many years, with large-scale attacks causing massive disruption to businesses and individuals alike. However, in 2022, targeted organization are less willing to pay the ransoms ans step up their cybersecurity posture. There may be a shift away from ransomware as cybercriminals search for the most profitable techniques.
The availability of ransomware-as-a-service (RaaS) platforms have made it easier for cybercriminals to launch ransomware attacks without the level of technical expertise needed for encryption and decryption. This might seems as as open call for massive unsophisticated cybercrime, but in fact it also means that antivirus algorithm are way more likely to detect them.
The shift away from ransomware has seen cybercriminals turn to other techniques, such as phishing, DDoS attacks for ransom, malvertising and cryptojacking. These methods are more profitable, as they can be deployed more quickly and on a larger scale, allowing cybercriminals to reap greater rewards.
3.2 – Opportunities and Risks for Cybercriminals
The digital age has created a wealth of opportunities for cybercriminals, with the potential to commit a wide range of cybercrimes. This includes activities such as phishing, DDoS attacks, ransomware, and cryptojacking, which are often lucrative for criminals.
However, even though there are many potential opportunities for cybercriminals, there are also associated risks. For example, some cybercrimes require sophisticated technical expertise, to develop a partner in crime network, which can be difficult and costly to acquire and maintain. Not speaking of Law Enforcement, Governments and Cybersecurity Researcher hunting them with also more maturity and success.
Furthermore, many cybercrimes require a great deal of planning and preparation. This can make it difficult for cybercriminals to stay fully anonymous, as they must be careful not to leave behind any traceable evidence. And in cyberspace, we let a lot of traces. They are constantly at risk of being caught and facing prosecution.
Finally, even if a cybercriminal is successful in committing a crime, there is no guarantee they will be able to collect any ransom or profit. This is because their victims may be unwilling or unable to pay, the business model was wrong, or the money may be seized by law enforcement. Successful cybercriminals are businessman, not pure technician.
3.3 – Implications for the Future of Cybercriminal Business
The implications for the future of cybercriminal business are far-reaching. One major implication is the shift from ransomware to other forms of cybercrime, such as phishing, DDoS attacks, malvertising and cryptojacking. This shift is likely to be driven by the increasing difficulty of extracting ransoms, as well as the intense scrutinity of authorities over RaaS platforms and cryptocurrency mixers such as Bitzlato, that was making it easier for cybercriminals to launch ransomware attacks and launder the ransom.
Another implication is the emergence of cybercriminal marketplaces, where criminals can sell and trade data, tools, systems, and services. These blackmarket provide a platform for cybercriminals to easily acquire the resources they need to commit cybercrimes.
The increasing sophistication of cybercrimes means that organizations must stay up-to-date with the latest threats and invest in the necessary technical measures to protect themselves. This includes investing in security training and awareness programs, as well as deploying the necessary technical measures to protect against ransomware and other types of attack.
The implications of cybercrime for the future of cybercriminal business are profound,. Organizations must be prepared to address the evolving threats.
Wiper malware is a rapidly evolving threat that can cause serious harm to organizations. It is designed to destroy data and systems, making it difficult to recover from even after the malware is removed. To protect against wiper malware, organizations should invest in technical measures such as firewalls, antivirus software, and endpoint protection software.
In addition, organizations should also implement strong security policies, such as requiring multifactor authentication for access to sensitive systems, prohibiting the use of weak passwords, an efficient vulnerability prioritization mitigation program and regularly backing up data.