Wiperware, or wiper malware, is a disturbing evolution in cyber warfare that takes no prisoners—not even your data. 

Attacks attributed to this new, highly destructive form of malware include an Iranian train system attack in 2021 that caused “unprecedented chaos.” But while chaos is the goal, not money, there are things your organization can do to keep that chaos at bay. Here are 10 questions about this novel malware and some tips to stay safe.


1. What is wiperware, and how does it differ from other types of cyber threats?

Wiperware is a type of malware like ransomware, but it has different characteristics from ransomware in the following ways:

  • Wiperware’s objective isn’t financial gain—it’s destruction. Ransomware encrypts a victim’s files or locks them out of their system but offers a decryption key or restored access for a ransom. Wiperware, on the other hand, was created to destroy or “wipe” data on a targeted system or network. It aims to cause damage, disrupt operations, or even sabotage a target’s infrastructure.
  • The communication is different (or non-existent). Ransomware attackers typically want to communicate with you—to provide instructions on how to pay up, for example. Wiperware attackers have less incentive to communicate. Without that ransom note, you may miss the attack until it’s too late.
  • Wiperware’s impact can be much worse. Ransomware can be extremely disruptive and financially damaging, but there’s at least a possibility of recovery. Wiperware attacks can result in the permanent loss of data and can cause significant disruption that’s difficult if not impossible to recover from without extensive data backups and disaster recovery measures.

2. What are the motivations behind wiperware attacks?

Because it’s not just about the money and attacks are often irreversible, wiperware motivations can be political, ideological, or destructive purposes. The attacker’s agenda may be to disrupt critical infrastructure, cause chaos, or make a statement. Geopolitical tensions or conflicts can sometimes lead to an increased risk of wiperware attacks, so understanding these factors can help businesses assess their global risk exposure.

3. What happens during a wiperware attack?

The primary goal of a wiper attack is to destroy data and disrupt the targeted networks. But, beware: Wipers like Meteor can come packed with features that level up the typical attack approach of compromise, propagation, destruction, and disruption. These can include changing user passwords, deleting shadow copies, and disabling recovery modes.

4. Can I detect a wiperware attack in progress?

It’s vital to detect intruders on your network as early as possible to reduce breakout time when they’re gathering reconnaissance and perfecting their attack. The more espionage that’s pulled off prior to an attack, the more an attacker can learn your setup, backup provider, and more. Detection mechanisms should include: 

5. What steps can I take to prevent wiperware attacks?

In short, visibility is key. Once wiperware has been planted in an environment, the ability to prevent an attack will likely be limited at best. The real key is to ensure recoverability from one of these devastating attacks. Start with a resiliency architecture that not only protects data but also makes it available in the event of an attack. Tiered resiliency architectures with different logical and geographic locations can help you meet more diverse backup and recovery needs. Other preventive measures include:

  • Immutable snapshots—preferably “super immutable,” like Pure Storage® SafeMode™ Snapshots
  • Secure, tiered backup architectures
  • Network security
  • Endpoint protection
  • Access controls and strong authentication (including admin credential vaulting)
  • Employee training and executive tabletop exercises

Get strategies to combat ransomware Before, During, and After an Attack.

6. What should I do if I’m the victim of a wiperware attack?

A wiperware attack is nothing short of a disaster, so executing on a disaster recovery plan in the wake of an attack is critical.

First, recovering from protected snapshots is key to recovery post-attack. Storage-as-a-service providers like Pure Storage also offer ransomware recovery SLAs, which help you recover faster by shipping clean arrays to get back online while infected arrays are locked down in forensics.

Learn more about Pure Protect™ //DRaaS—a transformative solution that is reshaping the landscape of how businesses fortify their data and operations with business continuity in mind.

7. What legal and regulatory requirements are there regarding data protection and reporting wiperware incidents?

Depending on location and industry, businesses may need to comply with specific data protection and breach reporting regulations. Understanding these requirements is essential for legal compliance.

8. Can employees help to minimize the chance of wiperware threats?

Yes. Employee awareness, security hygiene, and training are vital components of any cybersecurity strategy. 

9. Are there any specific industries or sectors that are more vulnerable to wiperware attacks?

Some industries or sectors may be more appealing targets for wiperware attacks due to their critical infrastructure (e.g., energy, financial services, and transportation) or sensitive and regulated data, like healthcare and financial services. 

10. What investments can I make now to protect my enterprise from wiperware?

Investing in modern data storage is ground zero for better data protection against any threat. Wiperware has evolved to be more destructive by permanently erasing data and disrupting operations, often for non-financial reasons. Knowing the full potential of this destructive new attack should have your entire organization on guard and leveraging every possible resource to avoid a wiperware catastrophe. 

Pure Storage offers built-in robust backup and recovery features and SLAs. Explore the cybersecurity page to read more articles on the latest trends and best practices.