In today’s bulletin, Charlie gives an insight into wiper attacks and how these differ from traditional ransomware cyber attacks, and advises how organisations can protect themselves from these attacks.
This week, I have been working on a case study of the Stryker Corporation cyber attack, which was of interest to me as it is collateral damage from the current conflict in the Middle East. As most of my bulletins and case studies are about ransomware attacks, I thought I would instead write on wiper attacks and seek to understand how they are different to ransomware attacks, what the different types of wiper attacks are, what the motivations of attackers are, and how you can protect your organisation against them.
The Difference Between Wiper Attacks And Ransomware
Ransomware and wiper attacks may look similar, but the motivations and methodologies used by those carrying them out are fundamentally different. Wiper attacks seek to destroy data systems and render them unusable, without allowing recovery. Ransomware is usually financially motivated and encrypts the data, but there is the ability to recover the data if you purchase the key from the attackers. Attacks may be more blurred or nuanced than this straight division between the two. Ransomware gangs may use wipers to cover their tracks and destroy evidence and records, making the attack more difficult to recover from. While some wiper attacks masquerade as ransomware with a ransom note and a demand for money, in reality the data has already been destroyed. Attackers may claim they can recover the data, but they cannot due to its destruction.
What Are The Motivations For A Wiper Attack?
As the data is destroyed, very few wiper attacks are financially motivated; their motivation is usually political or as a form of hybrid warfare. Political motivation for attacks can range from state-sponsored organisations to hacktivist groups that align themselves with a cause or country. A recent example of this was the Handala Hack Team’s attack on Stryker Corporation, which provides medical goods and services worldwide. The wiper attack affected all their employees’ PCs, disrupting their delivery of hospital services and their manufacturing of medical devices. One of the first major wiper attacks at scale was the Shamoon attack of Saudi Aramco in 2012 which wiped 30,000 PCs and took them months to recover fully. This attack was followed by another in 2016-2018. Their company data was overwritten by images of a burning U.S. flag or a photo of a drowned Syrian child. The attack was attributed by USA intelligence to a group calling itself the “Cutting Sword of Justice”, who claimed responsibility. Experts believed this was a front for a state-sponsored attack, intended as retaliation for the Stuxnet virus and for Saudi support of U.S. sanctions.
The 2014 attack on Sony Pictures Entertainment, which involved wiping data – including films in development – and leaking sensitive information, was attributed to North Korea in response to the satirical film The Interview, which lampooned its leader. Olympic Destroyer was also attributed to North Korea – it was a wiper attack disguised as ransomware, the wiper was designed to disrupt the IT systems of the 2018 PyeongChang Winter Olympics. It affected Atos, the global IT firm managing Olympic operations, knocking out ticketing, internet, Wi-Fi, and broadcaster systems for hours.
Hybrid warfare is another motive for cyber attacks. This has been seen at its largest scale in the Russian attacks on Ukraine. The NotPetya self-propagating worm, which overwrote boot records, is said to be one of the most devastating cyberattacks in history, causing over $10b in costs worldwide. The attack which was aimed at a Ukrainian financial organisation infected companies worldwide, including: DLA Piper, Maersk, and FedEx, massively disrupting their operations. The Russians have tried to disrupt critical infrastructure at the beginning of the conflict by using prepositioned attacks and then launching them to coincide with the initial invasion. The impact was on government and civil infrastructure and these attacks have continued on communications and government institutions.
Ukraine has also ‘hacked back’ and caused damage to Russian infrastructure. Hybrid warfare attacks do not just target data and the systems that support organisational processes; they attack at the process level, wiping SCADA and process controllers and bringing systems to a halt. Although low-level hacktivist attacks have occurred on US or European infrastructure, state-sponsored attacks have not yet caused widespread damage or impact. The attack last year on Polish renewables was attributed to the Russian state-sponsored groups, who sought to control the system rather than to destroy it. An attack on critical infrastructure could trigger Article 5 of NATO. I suspect that all nations are seeking weaknesses in their likely rivals’ infrastructure and exploring how a cyber attack could be carried out.
What Are The Different Attacks?
| Attack Type | Explanation (2–3 lines) | Example (Organisation, Date, What Happened) | How Common |
| Boot record and pre-boot wipe patterns | These attacks overwrite the boot record so the system cannot start, leaving devices unusable on power up. They create immediate, visible failure and typically require full system rebuilds. | NotPetya – Maersk (June 2017): MBR overwritten across the estate, forcing a complete rebuild of global IT systems. | Moderately common in large-scale destructive attacks. |
| Disk structure wipe patterns: MBR, GPT, NTFS metadata | These attacks corrupt the structures that organise data on a disk, making all files inaccessible even if they still exist. Recovery is complex because the system cannot interpret stored data. | Shamoon attack – Saudi Aramco (Aug 2012): Disk structures destroyed on ~30,000 machines, rendering systems unusable. | Very common and a core wiper technique. |
| File content overwrite and selective destruction | Attackers overwrite critical files with random or fixed data, sometimes targeting key business systems only. This can delay detection while still causing major operational disruption. | Sony Pictures hack – Sony Pictures Entertainment (Nov 2014): Key files wiped after data theft, crippling internal operations and systems. | Common, especially in multi-stage attacks. |
| Registry and configuration destruction | These attacks corrupt system configuration such as the Windows registry, causing instability and system failure. Systems may behave unpredictably, complicating response and recovery. | WhisperGate – Ukrainian government organisations (Jan 2022): System configuration damaged, destabilising machines before full data destruction. | Moderately common as a supporting technique. |
| Firmware corruption and device bricking | This approach targets firmware such as BIOS or device controllers, rendering hardware unusable even after reinstalling software. In some cases, devices must be replaced entirely. | AcidRain attack – Viasat (Feb 2022): Firmware wiped on thousands of modems, effectively bricking devices. | Rare but very high impact. |
| Management plane wiping: when legitimate tools become weapons | Attackers exploit enterprise management tools to issue destructive commands at scale. Using trusted systems allows rapid, widespread wiping without traditional malware. | Stryker cyber attack – Stryker Corporation (March 2026): Intune admin access used to remotely wipe over 200,000 devices globally. | Increasingly common modern trend. |
So What Can We Do To Protect Ourselves?
As always, having good cyber security and protection is essential for any organisation. In addition, a robust operation of systems is essential to prevent social engineering attacks from gaining access to privileged accounts and bypassing controls, as seen in the Marks and Spencer and JLR attacks. The Stryker attack was executed using legitimate control as part of Microsoft Intune software management, when they deployed no malware, but used the system to wipe and delete all company accounts.
Backups are, as always, key. As many of the attacks use self-propagating worms or the malware impacts all files it can reach, having air-gapped backups are absolutely critical. If the main system and the backups can be destroyed, there is nothing to recover. It does not matter if the backups are immutable, as if they are deleted, the immutability makes no difference. Recovery of systems and data should be practised to ensure that it can be done in a reasonable time and that staff have the expertise to carry it out. Lastly, there needs to be plans in place for a fast response to a detected intrusion so that IT staff can quickly respond and take appropriate actions. Authorities and responses should be agreed in advance, as every minute the response is delayed, more destruction can take place. Plans and recovery should be exercised.
Conclusion
Organisations should conduct a risk assessment to evaluate their likelihood of being targeted by political or hybrid warfare wiper attacks. Even a spurious connection to Israel or another country or organisation on either side of a conflict may be enough for hackers to target the organisation. As we seem to be heading for a future with more conflicts, wiper risk linked to political activity or warfare is likely to rise. The same protection and response preparation apply as for ransomware, so this is another reason to improve your level of preparation.
