In 2012, a virus called Shamoon was responsible for a devastating attack on Saudi Arabian national oil company Saudi Aramco. Targeting recent versions of Microsoft Windows, Shamoon was incredibly destructive, spreading quickly from one machine to others on the network.

In what later became known as wiper malware, once it had infected its target, Shamoon would compile a list of files, upload them to the attacker and erase them, before overwriting the master boot record of a computer so it became unusable.

Another notable wiper is NotPetya, which targeted Ukraine in 2017 in an attack masquerading as ransomware but engineered for destruction. Five years later in 2022, HermeticWiper was used as part of the opening attacks in the Russia-Ukraine war.

Now, Cisco Talos researchers have revealed an attack on Ukrainian critical infrastructure using a previously unknown wiper they call “PathWiper”, which they attribute to a Russian adversary.

There’s no doubt wiper malware is incredibly destructive, and it could soon be supercharged by growing AI capabilities. How should businesses respond?

The growth of wiper malware

It seemed to be out of the spotlight for a while. Now wiper malware is on the rise again for three reasons: “Geopolitics, misinformation, and misdirection,” says Rik Ferguson, VP security intelligence at Forescout. “Conflict has always been fertile ground for cyberwarfare, and wipers are fast, effective weapons of chaos, but they’re also a distraction. When your systems are burning, your eyes aren’t on what’s happening elsewhere.”

Wiper malware has been used alongside geopolitical and military conflicts, in particular by Russia against Ukraine, as well as by suspected Iranian adversaries targeting Israeli entities, says Hannah Baumgaertner, head of research at Silobreaker.

At the same time, wiper malware has been adopted by ransomware groups. For example, the BlackJack group believed to be linked to Ukrainian intelligence and Twelve hacktivists have used wiper malware alongside ransomware in more recent attacks against Russian entities, says Baumgaertner.

Ransomware operators are also increasingly implementing wiper components into strains, such as Anubis and SuperBlack, she says. “These additional components make attacks more destructive, as there is no way of recovering any data.”

The wiper risk

Amid this complex landscape, the risk to businesses is real, especially for those operating in high-stakes critical sectors. The threat from wiper malware is “serious and indiscriminate”: You don’t have to be the primary target to “get caught in the blast”, says Ferguson.

Organisations are at risk by being directly targeted, by serving as critical infrastructure providers, or through supply chain connections, he says.

Businesses in industries such as energy, healthcare, finance and government are high-risk targets, but any enterprise with digital assets is vulnerable, says Danielle Coady, VP and cyber resilience evangelist at Index Engines.

Wipers are “arguably the most destructive type of malware”, with no financial motive or path to data restoration, according to Coady. “Ransomware allows for recovery at a price, but wipers cause permanent damage. Their goal is sabotage, data obliteration and to send a political or ideological message. This makes them especially dangerous, as they eliminate any opportunity for negotiation or partial recovery, forcing organisations into full-scale disaster recovery mode.”

The threat is compounded by the use of secondary tactics such as data exfiltration or lateral movement – which can go undetected until it's too late, says Coady. “Traditional perimeter defences are no match for these attacks, making advanced detection and recovery planning critical.”

Recovering from wiper attacks

Recovering from wiper malware attacks is difficult. Yet it is possible, if an organisation ensures proactive measures are in place before the attack, says Coady. “Once data is wiped, there's no decrypting or restoring unless immutable, clean backups exist. Virtual environments are especially vulnerable if backup systems themselves are corrupted.”

Recovery depends on segmentation, a rapid and well-rehearsed response, and “immutable offline backups”, concurs Ferguson. “Wipers often destroy logs and system metadata, making forensic analysis and containment harder, but that doesn't mean they always succeed. If you've built visibility, drilled your response and hardened your environment, you're already ahead of the curve.”

If they want to mitigate the very real risks from this malware, security leaders must shift from “reactive defence” to “proactive resilience”, says Ferguson.

This starts with comprehensive visibility across IT, operational technology (OT) and internet of things (IoT) environments, he advises. Network segmentation plays “a critical role” in “limiting both lateral movement and any potential blast radius”, according to Ferguson.

Meanwhile, zero trust architecture and least privilege policies “raise the bar even further” he adds.

To help manage the risk from wipers, it’s also important to get the basics right. Strong patch management, anti-virus and other best practices are “a good starting place” to help protect the business, says Ken Dunham, director, cyber threat, Qualys Threat Research Unit.

Staff training is also a good idea as wiper-based attacks continue to evolve, says Baumgaertner. “While initial access vectors continue to include typical phishing emails, attackers continuously refine their tactics, meaning organisations need to keep up-to-date with any recent changes to remain secure.”

Kate O'Flaherty Cybersecurity and privacy journalist