Wiper
Wiper malware is an enumeration of destructive malware families designed to delete, overwrite, or otherwise irreversibly damage files and systems on compromised infrastructure.
Authors
| Authors and/or Contributors |
|---|
| MISP Project |
KnotWipe
KnotWipe is a destructive wiper family reported to overwrite user and system files, aiming to prevent recovery and disrupt operations.
Internal MISP references
UUID b72ec96f-5cd8-4971-b1c5-3cd2fac3b14f which can be used as unique global reference for KnotWipe in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite with random data', 'Deletion of shadow copies'] |
ScalpFox
ScalpFox is a destructive wiper family reported to recursively erase files across mounted drives and network shares.
Internal MISP references
UUID 0bebd2c7-014f-4113-8119-f632122b4ef4 which can be used as unique global reference for ScalpFox in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Linux'] |
| type | ['Wiper'] |
| wiping-technique | ['Recursive file deletion', 'Filesystem metadata corruption'] |
ZeroLot
ZeroLot is a destructive wiper family reported to zero-fill files and free space to complicate forensic and recovery efforts.
Internal MISP references
UUID d2952962-eb0c-4ccd-87b5-713f86dc5b7d which can be used as unique global reference for ZeroLot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Windows', 'Linux'] |
| type | ['Wiper'] |
| wiping-technique | ['Zero-fill overwrite', 'Free-space wiping'] |
DoubleZero
DoubleZero is a destructive wiper family reported to conduct multi-pass overwrites and force system instability prior to reboot.
Internal MISP references
UUID b70567b3-b56b-4679-b95d-5b4b81067847 which can be used as unique global reference for DoubleZero in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Multi-pass overwrite', 'Service and recovery disablement'] |
CoreKill
CoreKill is a destructive wiper family reported to target boot-critical artifacts and high-value data directories.
Internal MISP references
UUID 15338159-8f33-4b2c-a32f-cad2f81cfade which can be used as unique global reference for CoreKill in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Windows', 'VMware ESXi'] |
| type | ['Wiper'] |
| wiping-technique | ['Master boot record overwrite', 'Targeted data destruction'] |
Occultus
Occultus is a destructive wiper family reported to stage delayed execution before erasing endpoint and server file stores.
Internal MISP references
UUID 0542863e-4e46-4283-9d4f-c6d285c0312a which can be used as unique global reference for Occultus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Linux', 'Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Timed wipe trigger', 'Directory tree traversal and overwrite'] |
NaughtyWipe
NaughtyWipe is a destructive wiper family reported to destroy user files and sabotage recovery options on compromised hosts.
Internal MISP references
UUID 1bd0388c-b821-4718-894c-62e6f6b6b5e1 which can be used as unique global reference for NaughtyWipe in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Selective extension-based wiping', 'Recovery partition tampering'] |
Lotus Wiper
Lotus Wiper is destructive malware targeting Windows systems and designed to overwrite files and remove recovery options.
Internal MISP references
UUID 9feece1d-5340-4148-9a12-a049f4b3af0b which can be used as unique global reference for Lotus Wiper in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite', 'Shadow copy deletion'] |
Shamoon
Shamoon (Disttrack) is a destructive wiper used in major attacks against energy sector organizations.
Internal MISP references
UUID 51a88f8f-3bc9-44f2-81dc-9d306aa92245 which can be used as unique global reference for Shamoon in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2012-08 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite with random data', 'Master boot record overwrite'] |
Destover
Destover is a destructive wiper associated with the 2014 Sony Pictures intrusion.
Internal MISP references
UUID 69d4508b-c853-4e2e-b3a0-dd63b482e0b4 which can be used as unique global reference for Destover in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2014-11 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite with random data', 'Network share wiping'] |
KillDisk
KillDisk is a wiper family used to corrupt files and render systems inoperable.
Internal MISP references
UUID 4a3642f3-2980-49b3-a3c4-873e3c8a6ede which can be used as unique global reference for KillDisk in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2015-12 |
| operating-system | ['Windows', 'Linux'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite with random data', 'Master boot record overwrite'] |
SQLShred
SQLShred is a wiper targeting SQL database files and related storage.
Internal MISP references
UUID e44753ba-8475-40a3-ad66-fc0540656e52 which can be used as unique global reference for SQLShred in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2021-11 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Database file overwrite', 'Targeted data destruction'] |
StoneDrill
StoneDrill is a destructive wiper with anti-analysis functionality and file destruction routines.
Internal MISP references
UUID eefe68c4-cb5d-4710-9b6e-763d919f6896 which can be used as unique global reference for StoneDrill in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2016-03 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite with random data', 'Process termination prior to wipe'] |
IsaacWiper
IsaacWiper is a destructive malware family used in operations against organizations in Ukraine.
Internal MISP references
UUID 7c897162-0c1f-436b-99fd-514b43ef7458 which can be used as unique global reference for IsaacWiper in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2022-02 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite', 'Partition and directory destruction'] |
Olympic Wiper
Olympic Wiper is malware used during the 2018 Winter Olympics to disrupt systems and operations.
Internal MISP references
UUID 22a79437-54af-4f5d-9d4c-3b088c6f1f49 which can be used as unique global reference for Olympic Wiper in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2018-02 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File deletion', 'System recovery sabotage'] |
Wiper (2011-2012)
"Wiper" is the name given to destructive malware observed in late 2011 to early 2012 that rendered systems unbootable and unrecoverable.
Internal MISP references
UUID 5260d12a-50c3-4c45-a1de-db3047b2b5bb which can be used as unique global reference for Wiper (2011-2012) in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2011-12 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite with trash data', 'Full-disk overwrite'] |
Narilam
Narilam is destructive malware known to corrupt databases and business application data.
Internal MISP references
UUID b347923a-38db-4b97-beba-dbe01840ab53 which can be used as unique global reference for Narilam in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2012-11 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Database corruption', 'Targeted data destruction'] |
Groovemonitor / Maya
Groovemonitor (Maya) is a destructive malware family associated with disk and file damage routines.
Internal MISP references
UUID 1e5d55a9-77bc-4aa4-800c-30a4d2cf1516 which can be used as unique global reference for Groovemonitor / Maya in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2012-08 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File overwrite', 'Disk corruption'] |
DarkSeoul
DarkSeoul is destructive malware used in coordinated attacks against media and financial organizations in South Korea.
Internal MISP references
UUID a72fb508-9af7-4922-aef2-dacfc702f738 which can be used as unique global reference for DarkSeoul in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2013-03 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Master boot record overwrite', 'File destruction'] |
NotPetya
NotPetya is pseudo-ransomware that functions as a destructive wiper by irreversibly damaging file system structures.
Internal MISP references
UUID d59f3b52-f4e8-4842-9a58-f46c271c47ad which can be used as unique global reference for NotPetya in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2017-06 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Master boot record overwrite', 'Master file table encryption/corruption'] |
WhisperGate
WhisperGate is destructive malware masquerading as ransomware and used against organizations in Ukraine.
Internal MISP references
UUID 8f3248c9-6472-473c-81f2-784842774b65 which can be used as unique global reference for WhisperGate in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2022-01 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Master boot record corruption', 'File overwrite'] |
HermeticWiper
HermeticWiper is destructive malware deployed against Ukrainian organizations in early 2022.
Internal MISP references
UUID 7dfb2aec-f034-4dd7-a1f8-5d9c200a7cd3 which can be used as unique global reference for HermeticWiper in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2022-02 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['Partition corruption', 'File destruction'] |
CaddyWiper
CaddyWiper is a destructive malware family targeting Windows systems in Ukraine.
Internal MISP references
UUID 2d2bdb9b-d53a-4052-a8ca-2dd3dfb6dae6 which can be used as unique global reference for CaddyWiper in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2022-03 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['User file destruction', 'Domain controller disruption'] |
AcidRain
AcidRain is a Linux wiper targeting embedded and modem devices, notably in satellite communications incidents.
Internal MISP references
UUID 987f228b-ce61-4049-9203-cf70f717a888 which can be used as unique global reference for AcidRain in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2022-02 |
| operating-system | ['Linux'] |
| type | ['Wiper'] |
| wiping-technique | ['Filesystem and device wipe', 'Recursive deletion of files'] |
FoxBlade
FoxBlade is Microsoft naming for a destructive malware strain used in operations linked to Ukraine-targeting attacks.
Internal MISP references
UUID 5032c38c-2899-4333-b676-93c29b8dff31 which can be used as unique global reference for FoxBlade in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| first-seen | 2022-02 |
| operating-system | ['Windows'] |
| type | ['Wiper'] |
| wiping-technique | ['File destruction', 'System sabotage'] |