| Wiper malware is a type of destructive malware that destroys organizational files and data, rendering them inaccessible and unusable. It typically spreads through phishing emails, malicious downloads, exploited vulnerabilities, Remote Desktop Protocol (RDP) exploits, and supply chain attacks. Wiper malware is commonly used to destroy critical assets and data and disrupt business operations, leading to financial losses and reputational damage. Threat actors use several techniques to destroy data, including overwriting files with other data (such as NULL or random bytes), encrypting files and destroying the decryption key, corrupting or overwriting the Master Boot Record (MBR), and corrupting the Master File Table (MFT). |
| It shares many features with ransomware except for its ultimate objective. Unlike ransomware, in which encrypted files may be recovered with a decryption key after a ransom is paid, wiper malware can masquerade as ransomware without a decryption capability. It intends to destroy data instantly and permanently, preventing data decryption and content recovery efforts even if a ransom is paid. The tactics of ransomware-as-a-service (RaaS) operations continue to evolve with emerging dual-threat capabilities combining file encryption and file destruction. The wiper feature is likely added to increase pressure on victims to pay the ransom more quickly instead of delaying or ignoring negotiations altogether. |
| The history of notable wiper malware started in 2012. Wiper malware was used sporadically over the following ten years to target organizations for sabotage, destruction of evidence, cyberwar, and some financial gain. Therefore, it was a preferred tool for nation-state actors and hacktivists over threat actors seeking profit. The United States government attributed the 2014 Sony Pictures Entertainment (SPE) hack to the Lazarus Group, alleged to be run by the North Korean government. SPE was the first US company to be impacted by wiper malware. In 2017, NotPetya was disguised as ransomware and intended to target Ukraine. However, it spread to many systems worldwide, including the United States and several New Jersey organizations. |
| Wiper malware activity surged in 2022, with attacks primarily targeting and crippling Ukranian infrastructure or organizations in the Ukraine-Russia war. It was also used by LokiLocker ransomware operators in 2022 and LockBit ransomware operators in 2023 to attack organizations that refused to negotiate a ransom payment. The use of wiper malware in ransomware attacks suggests a potential evolution of tactics by groups not linked to nation-state actors or hacktivists to retaliate and inflict maximum damage on uncooperative victims. In 2024, wiper malware continued with numerous variants, such as AcidPour targeting Linux devices in critical sectors, pro-Palestinian hacktivist group Handala Hacking Team targeting Windows and Linux environments of Israeli organizations, and Hamas-affiliated WIRTE group targeting Israeli organizations with phishing emails delivering SameCoin Wiper. Additionally, threat actors destroyed data of over half (54 percent) of global financial institutions in 2024, an increase of 12.5 percent since 2023. |
| At the beginning of 2025, wiper malware and ransomware were predicted to continue to increase and evolve, especially across government agencies and critical infrastructure sectors. Since then, there have been some notable wiper malware and ransomware incidents. Researchers discovered a destructive attack on a Ukrainian critical infrastructure organization using a previously unknown wiper malware. Dubbed PathWiper , the variant is likely attributed to a Russian advanced persistent threat (APT) actor that had access to the administrative console of a legitimate endpoint administration framework. The threat actors targeted the master boot record (MBR) and NTFS-related artifacts for corruption, issued malicious commands, and deployed PathWiper across endpoints in the victim organization’s environment. When executed, PathWiper dismounted volumes and overwrote artifacts with randomly generated bytes. |
| Threat actors also targeted Linux servers in a supply chain attack with wiper malware hidden in three Golang modules on GitHub. The malware overwrote every byte of data with zeros. In a separate campaign, threat actors used typosquatting of legitimate tools to publish eight malicious packages on NPM . The malicious packages destroyed framework files, corrupted core JavaScript methods, and sabotaged browser storage mechanisms. |
| Wiper malware showed an increasing and evolving trend in ransomware operations in 2025. SuperBlack ransomware operators exploited two Fortinet vulnerabilities and used wiper malware, as seen in previous ransomware incidents tied to LockBit and BrainCipher. The wiper file removed evidence of the ransom executable after encryption. ARCH WIPER ransomware operators destroyed data instead of extorting money by encrypting files without a ransom. A message was delivered stating that the files were permanently corrupted, and victims were advised to reset their systems. Anubis ransomware operators added wiper malware and claimed victims in healthcare, hospitality, business services, and construction in the United States. Anubis’s wiper feature used a /WIPEMODE parameter to permanently wipe the contents of files. Once wiped, the filenames and extensions remained displayed and untouched in the expected directories, but their file sizes were reduced to 0 KB. |
| A recent report revealed that ransomware is increasingly targeting cloud environments, and one of the most common types is data wiper ransomware. Threat actors, including ransomware operators, may leverage access to cloud environments to delete cloud storage, accounts, machine images, and other infrastructure that is critical to business operations. Although there is currently no evidence of wiper malware specifically targeting New Jersey, it does not mean that organizations, including critical infrastructure, are immune to this threat. |