FortiGuard Labs Threat Research

An Overview of the Increasing Wiper Malware Threat

By Geri Revay | April 28, 2022

In parallel with the war in Ukraine, cybersecurity researchers have witnessed a sudden increase in the number of wiper malware deployments. Although these haven't been officially attributed to Russian state-sponsored threat actors, their goals align with the Russian military's. It is widely theorized that these cyberattacks are intentionally being launched in concert with the invasion.

With wiper malware in the spotlight, we at FortiGuard Labs wanted to provide more information on this threat to help organizations understand it and implement better protections against them. In this blog, the following topics will be discussed:

  • What is a wiper malware?
  • The motivation for threat actors to use them
  • Interesting properties that can influence the effectiveness of the malware
  • Wiper techniques under the hood
  • Protections provided by Fortinet

What is Wiper Malware?

The wiper term in wiper malware comes from its most basic function, when the objective of the malware is to wipe (erase) the hard disk of the victim machine. More generically, wiper malware can be defined as malicious software that tries to destroy data. As we will see in the following sections, there are different ways to accomplish this.

History of Wiper Malware

Below is a short history of notable wiper malware (also shown in Figure 1):

  • Shamoon, 2012: Used to attack Saudi Aramco and Qatar's RasGas oil companies.
  • Dark Seoul, 2013: Attacked South Korean media and financial companies.
  • Shamoon, 2016: Returned to again attack Saud Arabian organizations.
  • NotPetya, 2017: Originally targeted Ukrainian organizations, but due to its self-propagation capability, it became the most devastating malware to date.
  • Olympic Destroyer, 2018: Attack targeted against the Winter Olympics in South Korea.
  • Ordinypt/GermanWiper, 2019: Targeted German organizations with phishing emails in German.
  • Dustman, 2019: Iranian state-sponsored threat actors attacked Bapco, Bahrain's national oil company.
  • ZeroCleare, 2020: Attacked energy companies in the Middle East.
  • WhisperKill, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
  • WhisperGate, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
  • HermeticWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
  • IsaacWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
  • CaddyWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
  • DoupleZero, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
  • AcidRain, 2022: Attacked Viasat's KA-SAT satellite service provider.
Figure 1: Wiper malware timeline

Motivations Behind Deploying Wiper Malware

In this section, we will look at the different motivations behind deploying a wiper malware. While its goals are straightforward, that does not mean that the motivation is always the same. We distinguish between the following four potential motivators: financial gain, destruction of evidence, sabotage, and cyberwar.

Financial Gain

In general, financial gain is the least significant motivator for wiper malware. This is understandable because it is hard to monetize destruction. However, one aspect we wanted to point out here is the fake ransomware variant that pretends to encrypt data and ask for a ransom, but without the capability to recover data. This could be called a ransomware scam because the ransomware concept is fraudulent. Threat actors employing such techniques are simply looking to make a quick buck without investing in developing an actual ransomware tool or in the administration work behind an actual ransomware operation. Of course, such an enterprise is short-lived because once it gets out that it is not possible to recover data, nobody will pay the ransom.

A good example is the Ordinypt or GermanWiper, which was active in 2017. As ransomware does, it altered files and added a random 5-character extension to them. It also destroyed recovery options, such as the Windows shadow copy. And it changed the desktop background to display a ransom note with a Bitcoin address where the ransom payment was expected to be sent. However, it did not really encrypt files. Instead, it filled them with zero bytes and truncated them. With this approach, there was no way to recover any affected files.  

Destruction of Evidence

This is a hard-to-prove motivator, but sometimes when there is no other reason to deploy a wiper in an attack, it may be concluded that the real reason was something else, such as espionage. The wiper is only deployed after the true goal of the attack is achieved. Instead of meticulously erasing their tracks and all evidence of their attack, the attackers simply deploy a wiper malware in the organization. This not only erases the evidence, but the scale of the destruction causes the defenders to focus on the recovery of data and operations and not on investigating the intrusion.


Sabotage is the most obvious reason to deploy a wiper. Just as the Stuxnet malware was used to destroy centrifuges to slow down Iran's efforts to develop nuclear weapons, wiper malware could be used to destroy data, sabotage development, cause financial loss, or just cause chaos.

One example in this category is the Shamoon malware, used to attack Saudi Aramco and other oil companies. The attack destroyed 30,000 workstations at Saudi Aramco. At such a scale, even replacing these computers becomes a logistical nightmare. The attack was also scheduled for a time when a holiday had just started to maximize its impact by counting on the limited staff available to respond to the attack.


A few months ago, it would not have been as straightforward to include this motivation in the list. But at the time of this post, seven different wiper malware attacks (WhisperKill, WhisperGate, HermeticWiper,  IsaacWiper, CaddyWiper,  DoubleZero, AcidRain) have been discovered targeting Ukrainian infrastructure or Ukrainian companies—all clearly in line with Russia's interest in the Ukraine-Russia war. Generally, wiper operations in this category attack targets whose destruction is in the interest of the opposing military. For example, the motivation behind such an attack might be to cripple critical infrastructure. This could be done to either cause chaos and increase mental stress on the enemy or to cause destruction at a tactical target. Wiper attacks can also have a devastating effect against OT and critical infrastructure targets, which has its value in a war.

An interesting and recent example is the suspicion that the AcidRain wiper was used in an attack against the Viasat KA-SAT satellite broadband service provider. The attacker gained access to the management infrastructure of the provider to deploy AcidRain on KA-SAT modems used in Ukraine. The attack also rendered 5,800 wind turbines inaccessible in Germany.

Interesting Properties

Although the general objective of wiper malware is quite simple, some have interesting properties worth discussing.

Fake Ransomware

As discussed, many wiper malware samples pretend to be ransomware. This means they leverage many of the typical Tactics, Techniques, and Procedures (TTP) that actual ransomware uses, but they do this without the possibility of recovering the files. In theory, standard ransomware can also be used as a wiper if the decryption key is never provided to the victim. In that case, the encrypted files are practically lost. However, after detailed analysis, it is apparent in many cases that the ransomware functionality is just a ruse, and in reality, the malware is a wiper. There could be a couple of reasons to do this:

  • As seen previously with Ordinypt, a sample can follow the ransomware business model without the intention to recover files.
  • It can be used to mislead the incident response team and, with that, slow down countermeasures.
  • Hide the motivation behind an attack. Ransomware would suggest cybercrime, which could be a way to hide that the real motivation is sabotage or cyberwar.

An excellent example of the latter is the infamous NotPetya malware from 2017. It was the most devastating malware so far. It started with a supply chain attack against Ukrainian companies through updates from a small Ukrainian accounting software company. However, it did not stop there. Since NotPetya was a worm, it also exploited vulnerabilities in other software to propagate. This was so efficient that it quickly became a global problem, crippling networks without discrimination. It went to great lengths to imitate ransomware, such as encrypting files, providing a Bitcoin address for payment, and delivering a ransom note. However, in reality, it was a wiper that just destroyed data. It was attributed to the Sandworm actors, who are associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, often referred to as GRU.


As with NotPetya, we can see that a significant property of wipers is whether or not they are self-propagating. If it is a worm, such as NotPetya, it will self-propagate to other machines once it is let loose. It is not necessarily possible to control them any longer in such a case.

There are a couple of ways malware can self-propagate:

  • By exploiting vulnerabilities in-network services.
  • Gathering credentials on infected machines and using them to connect to other machines in the network.
  • Using legitimate ways to move from one device to another, such as update processes.

This does not mean, of course, that non-self-propagating malware cannot be devastating. If the domain controller is compromised in a network, it can be used to deploy the wiper on all machines in the organization. The main difference is that self-propagating malware cannot be controlled once it has been unleashed.

Wiper Malware Techniques

Now let's roll up our sleeves and get our hands dirty by looking under the hood of wiper malware to understand the techniques they use to destroy the victim's data.

Overwriting Files

The most trivial approach for wipers is to simply enumerate the filesystem and overwrite the selected files with data. We discussed earlier that Ordinypt used this approach, overwriting files with zero (0x00) bytes.

Another good example is the WhisperGate wiper deployed against Ukrainian organizations earlier this year. It had various stages and components, but the second stage (stage2.exe) downloaded the file corrupter component from a hardcoded Discord channel. This component goes through specific folders looking for files with file extensions hardcoded in the malware. These files are different data files. The malware replaces the content of the files with 1 MB of 0xCC bytes and adds a 4-character long random extension. It is worth noting that WhisperGate also pretended to be ransomware, even though it corrupts files beyond repair.

Encrypting Files

As mentioned earlier, encrypting a file and destroying the key is essentially equivalent to destroying the file. Of course, a brute-force attempt could be made to recover the file, but if proper encryption algorithms are used, this approach is quite hopeless. However, encryption rather than simply overwriting is very resource-intensive and slows down the malware. The only use case for implementing encryption in a wiper is when the authors want to keep up the appearance of being ransomware for as long as possible. This was the case with NotPetya, which did encrypt files properly.

Overwriting MBR

Many wipers also make sure to overwrite the Master Boot Record (MBR) of the disk. This part of a disk tells the computer how to boot the operating system. If the MBR is destroyed, the computer won't start. However, this does not mean that the data on the hard disk has been destroyed. If only the MBR is corrupted, the data can still be recovered. By itself, it can only be used to cause chaos and confusion, but no actual data loss. That is why it is usually used together with other techniques.

For instance, the ZeroCleare malware used against energy companies in the Middle East in 2019 also used this technique. It used the third-party driver management tool EldoS RawDisk (more on that later) to directly access hard drives bypassing the protection mechanisms of the operating system (OS). Instead of overwriting files on the OS level, ZeroCleare overwrites the disks directly with 0x55 bytes. This, of course, starts with the MBR and continues with all partitions. A very clever technique we should mention when talking about ZeroCleare is that it bypassed the Windows Driver Signature Enforcement(DSG), which protects Windows from loading unsigned drivers (RawDisk driver). To do that, it first loaded a publicly available known vulnerable signed driver of VirtualBox. It then exploited the vulnerability in this legitimate driver to load RawDisk's unsigned driver. Once that happened, it had direct access to the disks in the machine.

Overwriting MFT

MFT stands for Master File Table, and it exists on every NTFS filesystem. This is basically a catalog of all the files that exist on the filesystem, their metadata, and either the file content or the location where the file content is stored. If the MFT is corrupted, the operating system won't be able to find the files. This is a very easy and fast way for wiper malware to make files disappear. The one drawback is similar to corrupting the MBR: the file content is not necessarily destroyed. While the few files stored directly in the MFT would be erased, most of the files are stored somewhere else on the disk, and the MFT only provides their location to the OS. Without the MFT, the OS won't be able to find the content, but the content is still there on the disk.

A fascinating example is NotPetya again. It overwrote the MBR of the target machine with a custom boot loader and stored a custom low-level code that this boot loader called. This code encrypted the MFT when the first restart happened after the infection. Once the MFT was encrypted, it forced the machine to restart. After that second restart, the device would no longer boot but only display the ransom note (Figure 2).

Figure 2: NotPetya ransom note


IOCTL is the device input and output control interface in Windows. The DeviceIoControl() function is a general-purpose interface used to send control codes to devices. The control codes are essentially operations to be executed by the device driver. Malware uses this interface to collect information about the disks targeted for the actual wiping.

In the case of HermeticWiper, IOCTLs were used for the following purposes:

  • Drive fragmentation (as opposed to defragmentation): spreading files around the drive makes a recovery more difficult. To achieve this, the FSCTL_GET_RETRIEVAL_POINTERS and FSCTL_GET_MOVE_FILES IOCTL codes are used.
  • Parsing the drive's contents to identify the parts to be destroyed: To do this, the IOCTL_DISK_GET_DRIVE_LAYOUT_EX and IOCTL_DISK_GET_DRIVE_GEOMETRY_EX codes are used.
  • Collecting occupied clusters to stage them for erasing: This is a performance improvement to ignore clusters not in use. For this, the FSCTL_GET_VOLUME_BITMAP and FSCTL_GET_VOLUME_BITMAP IOCTLs codes are used.
  • And finally, the FSCTL_GET_NTFS_FILE_RECORD code is used to load a record from an NTFS filesystem.

Once HermeticWiper collects all the data it wants to erase to maximize the impact of the wiping, it uses the EaseUS Partition Master driver to overwrite the selected parts of the disk with random data.

Third-party tooling

It was previously mentioned that malware sometimes uses third-party tools to overwrite data. They usually use the Windows driver of off-the-shelf products to bypass the protection mechanisms of Windows and manipulate the disks directly. The primary reason for using third-party drivers is probably that poorly implemented drivers can easily crash the whole system, which would lead to investigation and detection. Attackers likely don't want to invest time into writing their own drivers. Another reason might be that only signed drivers are allowed to be loaded on modern Windows systems, so if they wrote their own driver, they would need to bypass this security mechanism. This is, of course, not impossible, as we saw with ZeroCleare, which first loads a signed but vulnerable driver and then exploits that vulnerability to load the unsigned driver.

The two most widely-used examples of third-party tools used are:

  • EldoS RawDisk, used by the Shamoon and ZeroCleare wipers and the Lazarus Group in their infamous Sony Hack.
  • EaseUS Partition Master used by HermeticWiper

All of the Above

As shown in the examples above, most wipers are not using just one technique but a combination. Wipers employ varying complexity in trying to reach their goals. The more complex the malware is, the more techniques it needs to use. And, of course, the more techniques are used, the lower the probability that the data can be recovered.

Fortinet Telemetry

Figure 3 shows Fortinet Anti-Virus (AV) detection numbers since January 2022 of various wiper malware signatures. We can see that there was a significant increase. It is also interesting to see that there is still a lot of NotPetya detection, which can be explained by the fact that it is a worm so as long as there are vulnerable machines out there NotPetya will keep self-propagating. We can also see how the war specific new wipers appeared in March and increased the numbers significantly.

Figure 3: AV detection for wiper samples since January

Recommendations to Minimize the Impact of Wiper Malware

There are several best practices organizations are urged to implement to minimize the impact of wiper malware:

  • Backup: The most helpful countermeasure for ransomware and wiper malware is to have backups available. Malware often actively searches for backups on the machine (such as Windows Shadow Copy) or on the network to destroy. Therefore, backups must be stored off-site and off-line to survive sophisticated attacks. And when we talk about backups, it is important to mention that the existence of backups is essential, but a detailed recovery process also exists. And that the IT team regularly exercises recovery from backup to minimize downtime.
  • Segmentation: Proper network segmentation can be useful on multiple levels. For example, it can limit the impact of an attack to one segment of the network. In addition, firewalls used in combination with anti-virus and intrusion prevention systems, such as FortiGate, FortiGuard IPS, and FortiGuard Content Security, can detect the propagation of malware on the network, communications to known command and control servers, and malicious files as they are moved through the network.
  • Disaster recovery plan: Once a wiper is deployed in the network, the question is how well is the organization prepared for such a situation. What processes have been defined for business continuity without IT? How will restoration from backups be done and how will the organization communicate the incident to customers and the media? These are all questions that should be settled before an attack. All this and more should be defined in a disaster recovery plan, which will be invaluable under the extreme stress of an active compromise.
  • Incident Response: The speed and the quality of incident response are crucial, and the outcome of the attack can highly depend on it. In a scenario where a compromise is detected before wiper malware is deployed, the manner in which the incident response team handles and responds to the compromise could mean the difference between successfully averting data loss and complete data destruction. The FortiGuard Incident Response & Readiness Services is a trusted partner of many organizations for just this purpose.

Fortinet Protection

Fortinet products detect all malware discussed in this blog.

Fortinet Anti-Virus Signatures

  • HermeticWiper:
  • IsaacWiper:
  • CaddyWiper:
  • WhisperKill:
  • WhisperGate:
  • Shamoon:
  • Ordinypt:
  • Olympic Destroyer:
  • NotPetya:
  • Dustman:
  • ZeroCleare:
  • DoubleZero:
  • AcidRain:

IOCs (SHA-256 hashes of samples)



Olympic Destroyer:
19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea ab5bf79274b6583a00be203256a4eacfa30a37bc889b5493da9456e2d5885c7f















Data Destruction


Data Encrypted for Impact


Disk Wipe


Disk Wipe: Disk Content Wipe


Disk Wipe: Disk Structure Wipe


Firmware Corruption


System Shutdown/Reboot


Scheduled Task/Job: Scheduled Task


System Services: Service Execution


Pre-OS Boot: System Firmware


Pre-OS Boot: Component Firmware


Pre-OS Boot: Bootkit


Direct Volume Access


Impair Defenses: Disable or Modify Tools


Indicator Removal on Host: File Deletion


File and Directory Discovery

Further Reading

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.