How to Mitigate the Threat of Wiper Malware

Federal cybersecurity officials have warned that the highly destructive data-wiping malware attacks currently targeting Ukraine’s government ministries and financial institutions are very likely to spill over into other countries, including the U.S. Officials with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) suggest organizations take a variety of actions to protect their networks and data, including creating isolated backups and implementing network segmentation.

Since the beginning of the year, security analysts have identified five distinct data wipers targeting organizations in Ukraine, including WhisperGate, HermeticWiper, IsaacWiper, DoubleZero and CaddyWiper. Wiper malware is meant to look like ransomware, but it doesn’t include any sort of recovery mechanisms. Instead, it is designed specifically to destroy data and make recovery impossible.

Researchers say the strains being used in Ukraine corrupt files on infected machines by overwriting them with null byte characters, making them unrecoverable. Although wipers may work in slightly different ways, they almost always target a computer’s files, backups and master boot record (MBR), a key part of the startup system that contains information about the computer’s disk partitions and helps load the operating system.

Cyber Warfare?

Researchers have yet to firmly link the attacks to any known threat actor, but the attacks have occurred in conjunction with Russia’s military offensive. If Russia is indeed behind the attacks, it would not be the first time it targeted Ukraine with wiper malware. Analysts have concluded Russian threat actors were behind the 2017 NotPetya attack that targeted Ukraine’s government, banking and energy sectors before spreading to more than 60 countries worldwide, including the U.S.

Officials with CISA and the FBI say the current wiper variants could inadvertently spread to U.S. companies from their overseas partners and subsidiaries. They suggest that organizations take the following preventive measures:

  • Segment your networks. As the name suggests, network segmentation breaks up the company network into smaller, isolated parts. It won’t stop an attack, but it will significantly restrict a wiper’s ability to spread laterally through the network. In the event of an infection, segmentation can contain the damage to a single network segment, or subnetwork.
  • Create immutable backups. An immutable backup cannot be encrypted, deleted or otherwise modified in any way, even by an administrator. It ensures you have an untouched version of data that is always recoverable and safe from any attack or system failure. To ensure it can’t be compromised, the immutable backup should be completely isolated from local systems.
  • Test your recovery plan. Don’t wait until an actual emergency to find out if your backup plan is working properly. Perform frequent backups and verify they are working properly. Plans should be modified as needed to ensure they are meeting your recovery requirements.
  • Implement patch management. A controlled and automated approach to patching and updating software and operating systems helps limit your exposure to wipers and other exploits. Ideally, a patch management plan will include a framework for prioritizing, testing and deploying patches to ensure you don’t inadvertently introduce new vulnerabilities.
  • Require multifactor authentication. MFA solutions prevent unauthorized access to applications, systems and services by requiring a combination of verification factors such as a password or PIN along with a security token, mobile app or a biometric identifier. It greatly reduces the risk of data loss or theft due to compromised passwords.
  • Filter content. Content filtering solutions provide another level of protection by scanning web applications, identifying malware signatures, and examining text and email messages to protect against data leakage. They can also enforce access policies on remote and mobile devices that are used outside the network.

If you have any concerns about implementing any of the above strategies for protecting your business, give SSD Technology Partners a call. Our managed service plans are designed to ensure you have layered cybersecurity solutions in place.