Wiper malware is an alarming threat to corporate data. Unlike ransomware, which can encrypt and disable files until a ransom is paid, wiper malware aims to delete data permanently and cause as much destruction as possible, making the data completely unrecoverable.
According to the Cyber Security Agency of Singapore (CSA), wiper malware ranks among one of the most destructive classes of malicious software. Beyond damaging impact to business operations, attacks on Operational Technology (OT) systems can disrupt industrial systems and equipment, resulting in devastating effects and endangering lives.
Wiper malware has grown more common in recent years, with several high-profile attacks making headlines. The destructive WannaCry attack in 2017, which affected hundreds of thousands of computers worldwide, is believed to have been a wiper attack. Other notable recent wiper attacks include Olympic Destroyer in 2018, targeted at the Winter Olympics in South Korea, and ZeroCleare in 2020, targeted at the energy and industrial sectors in the Middle East.
As the conflict between Russia and Ukraine continues, Ukraine has seen a withering barrage of wiper attacks. In the first half of 2022, seven new wiper variants were used in campaigns against private, government, and military organisations. Indeed, there have been wiper malware attacks in 24 countries beyond Ukraine, with some of these attacks targeting critical infrastructure using disk-wiping malware.
One of the fundamental challenges in dealing with wiper threats is that they’re very often difficult to detect and contain. Unlike other forms of malware, which usually come with signs of their presence, wipers erase all traces of themselves once they have completed their destructive work. It makes it difficult for IT security professionals to respond to these attacks and prevent them from spreading.
Organisations must implement robust, multi-layered security measures, including regular backups of critical data to defend against wiper threats. It’s also essential to maintain a strong security posture and be alert to signs of a potential wiper attack. Here are three steps to minimise the risk of falling victim to these destructive attacks.
1. Backup your data
The importance of backing up data cannot be overstated when defending against wiper malware. While backups can’t prevent an attack from occurring, they provide a lifeline for restoring compromised data caused by wiper malware—or any other type of attack.
The CSA strongly advises Singaporean organisations to take active steps to strengthen their cybersecurity posture, which includes backing up data regularly and ensure that backups are isolated from network connections.
By properly managing backups, organisations can ensure they have copies of their data that are separate from their production systems. Should wiper malware, ransomware, or any other malware strike the active IT environment, the business can turn to its backups, stored on an immutable storage solution, for restoration. Not only is restoring from backups more cost-effective and faster than paying a ransom to recover data, but it’s likely the only recourse in a wiper attack because paying a ransom is usually not an option.
2. Follow the 3-2-1-1 rule
A 3-2-1-1 data-protection strategy is a best practice for defending against malware, including wiper attacks. This strategy entails maintaining three copies of your data, on two different media types, with one copy stored offsite. The final 1 in the equation is immutable object storage.
By maintaining multiple copies of data, organisations will have backup available in case one copy is lost or corrupted. It is imperative in the event of a wiper attack, which destroys or erases data.
Storing data on different media types also helps protect against wiper attacks. This way, if one type of media is compromised, you still have access to your data through the other copies.
Keeping at least one copy of your data offsite, either in a physical location or in the cloud, provides an additional layer of protection. If a wiper attack destroys on-site copies of your data, you’ll still have access to your offsite backup.
The final advantage is immutable object storage. Immutable object storage involves continuously taking snapshots of your data every 90 seconds, ensuring that you can quickly recover it even during a wiper attack. This next-generation data-security tool helps to safeguard your information and protect it from loss or damage.
3. Air gap your networks
Air gapping is an efficient and effective method for protecting backup data against wiper attacks. There are two types of air gapping: traditional physical and logical air gapping. Physical air gapping involves disconnecting a digital asset from all other devices and networks, creating a physical separation between a secure network and any other computer or network. You can store backup data on media such as tape or disk, then completely disconnect these media from your production IT environment.
Logical air gapping, on the other hand, relies on network and user-access controls to isolate backup data from the production IT environment. Data is pushed to its intended destination, such as an immutable storage or custom appliance, through a one-way street and can only be managed or modified through separate authentication channels.
The beauty of air gapping is that it renders your data almost invisible to wiper malware attacks, making it nearly impossible for the bad guys to compromise your backups.
The increasing spread of wiper malware is a stark reminder of the dangerous landscape organisations face when protecting their data. A solid, well-managed data backup and recovery plan is the key to ensuring data safety in the face of today’s growing array of threats.