Security Experts:

Malware's Destruction Trajectory and How to Defeat It

Malware and targeted attacks on operating systems and firmware have become increasingly destructive in nature, and these more nefarious attack methods are rising in prevalence. And just to add insult to injury, there are more of them. Today’s attacks are hitting more often, and they are hitting harder.

In the first three decades of its existence, malware was primarily restricted to mischief and attempts by virus creators to discover if their creations would work. But now the threat landscape has changed from simple vandalism to lucrative cybercrime and state-sponsored attacks.

Wiper malware, in particular, has gained traction in recent months; our FortiGuard Labs research team has seen at least seven different malware attacks targeting Ukrainian infrastructure or Ukrainian companies so far this year. The primary reason for using Wiper malware is its sheer destructiveness – the intent is to cripple infrastructure. What does the increased presence of Wiper malware strains indicate? And what do security leaders need to know and do to keep their organization safe? 

More malicious malware – Wiper malware takes hold 

Wiper malware renders a machine completely useless, and researchers are spotting more and more incidences of its use, particularly since the start of the war in Ukraine. One such example is DoubleZero, which has reportedly targeted Ukrainian enterprises – though it has yet to be spotted outside that country.  

The emergence of LokiLocker ransomware is another variant that researchers have seen. If the victim does not pay the ransom, the ransomware is capable of targeting the Windows OS, deleting all non-system files and overwriting the Master Boot Record (MBR), rendering the hacked machine inoperable.

These malware strains have different levels of sophistication. While some strains wipe a master boot record – which is easy to recover from – other strains go even further to wipe out entire partitions, which kills the data, and then it looks for backups and wipes those out, too. That’s considerably worse. 

And then there are the Wiper attacks targeting firmware, which effectively transforms your machine or device into a paperweight. This is a topic we've been discussing for several years, but it’s just recently started showing up in the wild. 

Another consideration is Brickerbot, malware that renders IoT devices incapable of connecting to the internet. The goal is to destroy a network rather than just disrupting it to gain a ransom. A historic example is the Hajime ransomworm, which can download Brickerbot, can also identify CPE devices and protocols and then remove the rules that allow a CPE device to talk to its service provider. For service providers, that means millions of devices could all go dark simultaneously, with no way to see, control or manage them.

What cybersecurity requires today

Prevention and recognition are especially challenging for security operation center (SOC) teams because the current infection vectors for the latest malware are often unknown. When adversaries are evolving just as quickly as security teams, it can feel impossible to keep up. That is why businesses must continue to evolve and learn. With new threats and vulnerabilities for attackers to exploit, SOC teams require clear insight into their networks, as well as enhanced security mechanisms that function in tandem. 

To defend the network from this wide range of threats, enterprises need to use AI-powered prevention, detection and response strategies based on an integrated cybersecurity architecture. This will enable tighter integration and increased automation, as well as a more coordinated, effective and rapid response to threats across the extended network.

Enterprises also need to ensure all members of the organization are trained in proper security protocol. Now that anyone can be attacked, cybersecurity is everyone’s job. Make cyber hygiene training part of the employee onboarding program and provide ongoing updates to that training so all employees are apprised of the latest threats.

It’s also essential to provide total coverage for IoT devices within the network. These devices expand the threat landscape – sometimes exponentially, in the case of remote and hybrid work scenarios – introducing back doors into the network that must be identified, closed and locked. And because staff can’t see every entry point, you need to equip security teams with the latest AI-backed security measures. This will ensure visibility is high and help teams respond to threats faster. 

More than one step ahead

There’s more malware than ever, it’s more destructive than ever and the stakes continue to get higher. Whether for political reasons or for profit, hackers are cranking up the threat level. It’s a matter of business life and death to defend against things like wiper malware, whose intent is nothing less than to destroy devices and the infrastructure supporting your organization. Defeating attacks of this type require an integrated security approach that enables complete visibility for the SOC team and its AI-based solutions. And of course, standard cyber hygiene rules still apply, as does consistent staff training. You can defeat these serious threats, but it takes a well-considered and comprehensive strategy to do so.

Related: U.S. Gov Issues Stark Warning, Calling Firmware Security a 'Single Point of Failure'

view counter
Derek Manky is Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.