February 24, 2022

Recent Increase in Wiper Malware Attacks – MSPs Heed Warnings

By Ryan Weeks

In the wake of recent international events, the world is facing elevated threats of cybersecurity breaches. With a recent increase in the use of Wiper Malware, MSPs should heed warnings and not underestimate the potential for serious disruptions.

Wiper Attacks aim to cause harm and destruction by completely “wiping” out the hard drive of the device it is infecting. The motivation for using wiper malware is essentially to erase all proof of existence, essentially to hide something the other party wants to avoid being exposed to the world (most recently, Russia trying to hide its tracks in advances and attacks on Ukraine).

Wiper malware targets data (in stored files), operating systems, and even backup. As soon as it is activated, the wiper will immediately destroy data and will also do everything possible to ensure that data is unrecoverable by destroying backups.

The History of Wiper Malware

In 2017 NotPetya caused what some claim to be the world’s most devastating cyberattack, with a goal to encrypt the hard drive of infected computers while it’s tools helped it to spread globally and infect many more machines. The malware affected not just its intended victim, i.e. Ukraine, but went out to numerous machines around the world. Hospitals in Pennsylvania, Tasmanian factories, and many more multinational companies across numerous industries were impacted.

Then in 2019, the GermanWiper Ransomware hit victims hard by permanently destroying user data. While technically ransomware, users who paid the ransomware still couldn’t recover their data as GermanWiper erases, rather than encrypts, the data.

What Can You Do to Prevent Wiper Attacks

To protect your systems and data from Wiper Attacks, it’s more crucial than ever to have layers of capabilities to help protect, detect, respond and recover from attacks.


  • Backups: Regular backups with a known integrity for recoverability are necessary in order to respond to and recover from attacks. Given the prevalence of attackers targeting backups in ransomware and wiper attack scenarios, it is important that local backups be isolated from the rest of the local systems. An alternate isolated recovery location ensures that replicated backup data can be recovered in where the primary backup data existed in the event it is destroyed or tampered with.
  • Network Security: Logically segment networks to minimize impact and malware spread. Segment networks by function: Do you need employees in sales and marketing sharing the same network resources as those in technical roles? A good practice is to separate IT management, cybersecurity, and VoIP, as well as wireless (guest and local) network segments. Segmenting networks makes it harder for threats to spread laterally given any single network foothold.
  • Patch Management: Keeping operating systems and software updated, or “patched”, fixes bugs or weaknesses in IT network systems. Patch management tools allow for a controlled and automated deployment of patches to systems. As a result it creates an environment that is more resilient to known weaknesses by providing MSPs detailed insights into apps and devices that are potentially at risk and helping to automate deployment of patches.
  • Email Security: Ensure you have an advanced threat protection layer for email that is used as the first line of defense against phishing scams and malware sent via email. This malware is often a precursor to larger disruptive and destructive attacks.


  • Endpoint Security: When it comes to Wiper Malware, prevention, removal and recovery are elusive. To maximize chances of removal and recovery you need to be able to detect these threats early. The best way is to ensure you have an effective advanced anti-malware solution that detects common techniques and system behaviors used by wiping malware and alerts you in real-time to potential threats as well as helps you respond to and isolate identified threats.
  • Credential Security: Many attacks start with the theft of a valid employee credential. Effective credential breach monitoring services alert you to the compromise of an employee credential and allow you time to take corrective action, before the credential is leveraged to gain a foothold in IT networks and systems.


  • Business Continuity and Disaster Recovery: Having backups is great, but you need a practiced plan for how you will recover from attacks such as ransomware and wiping malware. Of utmost priority is recovering IT or technology systems that support critical business functions. Ideally those systems were enumerated during a Business Impact Assessment as you work to Identify key systems that need protection. These plans and prior testing of them ensure your business is kept up and running in the midst of a disruptive and disastrous event.

Recovery is Possible

In the event you’ve been infected with Wiper Malware, Datto Cloud Deletion Defense (CDD) lets you regain access to deleted cloud snapshots. Whether an agent is mistakenly or maliciously deleted, CDD provides a window to recover this cloud data. 

The Cybersecurity and Infrastructure Security Agency is recommending that all organizations—regardless of size—adopt a heightened posture when it comes to protecting their most critical assets. Join me next Monday, February 28 at 1 PM ET as I discuss this in more detail on The CyberCall. Register now.

Suggested Next Reads

Elevate Autotask Tickets With IT Glue Checklists

Streamline IT support with Autotask checklists. Empower Level 1 technicians to handle repetitive tickets efficiently, reducing escalations and improving service quality.