Masquerading as Ransomware
Wiperware is only ransomware in that it masquerades as such when performing a campaign against a specific target, Blumira‘s Matthew Warner said.
“Ransomware and pseudo ransomware do use the same mechanisms to download and deploy their functionality against the impacted hosts, such as PowerShell, wscript and registry modifications,” he said. “The main difference is that the attackers must craft their attacks in a way that allows for maximum success in data destruction rather than trying to encrypt as much as possible while still allowing access for future decryption. Ransomware, especially ransomware as a service, often has a component of ‘customer service’ to allow for bounty payment and recovery of data, and must be built to allow this behavior by the victim.”
For wiperware, the attackers must not only ensure that they can erase data from all useful drives, but do so while their own attack persists on the host until completion, Warner said.
“In the case of the Trellix sample, the attackers maintained an open ping until they completed the deletion of all potentially useful files on the host with a final clean-up step,” he said. “While this data may be recoverable by an incident response team on a case-by-case basis, it would require significant effort and cost per-machine to do so.”
