{"id":448,"date":"2018-05-10T10:35:20","date_gmt":"2018-05-10T10:35:20","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/threatpost\/?p=131836"},"modified":"2018-05-10T10:35:20","modified_gmt":"2018-05-10T10:35:20","slug":"secrets-of-the-wiper-inside-the-worlds-most-destructive-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/","title":{"rendered":"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware"},"content":{"rendered":"<div class=\"media_block\"><\/div>\n<p>Shamoon, Black Energy, Destover, ExPetr\/Not Petya<em>\u00a0<\/em>and Olympic Destroyer: All of these wiper malwares, and others like them, have a singular purpose of destroying systems and\/or data, usually causing great financial and reputational damage to victim companies. However, the threat actors behind this kind of code, whether they\u2019re bent on sending a political message\u00a0 or simply wanting to cover their tracks after data exfiltration, have adopted various techniques to carry out those activities.<\/p>\n<p>Cisco Talos researcher Vitor Ventura, along with contributions from Martin Lee, noted in a <a href=\"https:\/\/blog.talosintelligence.com\/2018\/05\/wipers-destruction-as-means-to-end.html\">report\u00a0published on Tuesday<\/a>, that malware with destructive payloads has been around since the early days of virus development. However, the delivery methods and level of destruction of wiper malware have evolved. Damage can range from the overwriting of specific files to the destruction of the entire file system; and the amount of data impacted and the difficulty of the recovery process is a direct consequence of the technique used. In any case, it\u2019s usually a well-crafted code at the root of the bomb.<\/p>\n<p><strong>A Look Inside the Wiper Anatomy<\/strong><\/p>\n<p>To understand the varying techniques that attackers use, it\u2019s possible to break down a typical wiper according to three targets: files (data), the boot section of the operating system of machines, and backups of system and data. Most wipers target all three.<\/p>\n<p>The activity that takes the longest to perform is the actual file destruction. To be more efficient, wipers rarely overwrite the entire hard disk.<\/p>\n<p>\u201cThere are wipers that will create a list of targeted files, and others will list all files in specific folders,\u201d explained Ventura. \u201cSome of them will only rewrite a certain amount of bytes at the beginning of each file [and] they will overwrite the file completely if the files are smaller than that amount. This is just enough to destroy the headers of the files, which renders them useless.\u201d<\/p>\n<p>Other wipers may write a certain amount of bytes in a pattern. For instance, the malware could write 100 kilobytes of data every five megabytes sequentially through the hard disk.<\/p>\n<p>\u201cThis means that the wiper will destroy files at random without any predictable pattern,\u201d the researcher said. \u201cBoth methods may be followed by the destruction of the master file table, which is where the Windows file system (NTFS for recent versions) keeps records of the file locations and associated metadata.\u201d<\/p>\n<p>This last step makes advanced recovery tools practically impossible to use, due to the lack of information to recover the files.<\/p>\n<p>The boot process and backup destruction meanwhile is a fairly quick process. The boot section can be done in two ways, depending on the purpose, according to Ventura.<\/p>\n<p>\u201cIt can simply erase the first 10 sectors of the physical disks (master boot record location), or the malware [like <a href=\"https:\/\/threatpost.com\/ics-cert-revises-recommendations-to-avoid-shamoon-infections\/100204\/\">Shamoon<\/a>] can rewrite these first 10 sectors with a new boot loader that will perform additional damage,\u201d he explained. \u201cEither way, the original operating system becomes unbootable. Usually, along with master boot record destruction, the wipers will also use operating system command-line utilities to destroy the recovery console.\u201d<\/p>\n<p>Backup destruction is commonly done by simply deleting any shadow copies of the data.<\/p>\n<p>\u201cThis can be done easily by the execution of some legitimate operating system command-line tools,\u201d Ventura said.<\/p>\n<p><strong>Under the Radar<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-131848 size-full\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/31\/2018\/05\/10062612\/Wiper_Timeline_1.png\" alt=\"\" width=\"225\" height=\"767\"\/><\/p>\n<p>When it comes to evading detection (until it\u2019s too late), a wiper may use several different techniques.<\/p>\n<p>For instance, a custom bootloader could perform the destruction upon reboot, thus bypassing the operating system protections. However, in the Shamoon attacks, the authors used a trial version of a legitimate driver to get access to the file system, bypassing the operating system API altogether, along with any protections enforced by the operating system. That also allows for the destruction of files while the system is still running.<\/p>\n<p>\u201cObviously, these techniques require the adequate privilege level and\/or operating system,\u201d Ventura said. \u201cThat is why some wipers will fall back from one technique to the other depending on the conditions of the victim\u2019s system.\u201d<\/p>\n<p>Yet another tactic, as seen with <a href=\"https:\/\/threatpost.com\/olympic-destroyer-a-false-flag-confusion-bomb\/130262\/\">Olympic Destroyer<\/a>, is disabling all services on the operating system.<\/p>\n<p>\u201cThis alone does not destroy data, but it makes the recovery of the system almost impossible without reinstallation, which creates a service unavailability,\u201d Ventura explained.<\/p>\n<p>In the case of <a href=\"https:\/\/threatpost.com\/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack\/127477\/\">NotPetya<\/a>, which Ventura called \u201cprobably the most devastating cybersecurity incident to be publicly known,\u201d the attackers compromised a supply-chain vendor, M.E.Doc, using the software as a way to execute their own code in their victim\u2019s systems. It also adjusted its destruction mechanisms to the anti-virus software present on the system.<\/p>\n<p>\u201cThe attackers had access to their victims\u2019 systems for several months, and their last action was the release of a highly destructive payload with very effective spreading mechanisms,\u201d the researchers said.<\/p>\n<p><strong>Propagation<\/strong><\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/31\/2018\/05\/10062651\/Wiper_Timeline_2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-131849 size-full\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/31\/2018\/05\/10062651\/Wiper_Timeline_2.png\" alt=\"\" width=\"253\" height=\"734\"\/><\/a>Malware will often be designed to replicate to other systems \u2013 and this holds true for wipers.<\/p>\n<p>Olympic Destroyer went the way of the worm, performing self-replication and lateral movement inside networks.<\/p>\n<p>\u201cThe malware will harvest credentials from the system, which are then used to perform remote copy and execution of the wiper, hopping from system to system,\u201d Ventura said, adding that gaining remote execution usually involves the usage of legitimate administration mechanisms such as the psexec tool and the Windows Management Instrumentation command-line utility (WMIC).<\/p>\n<p>Similarly, NotPetya\u2019s spreading mechanism was designed to password-harvest as well as take advantage of legitimate Windows protocols.<\/p>\n<p>\u201cBy using legitimate tools and credentials, it was able to mimic business-as-usual behavior and traffic patterns, making detection harder for the defenders,\u201d Ventura noted.<\/p>\n<p>Some of the worms also carry the code to exploit vulnerabilities that allow remote-code execution, when all other means of propagation fail. <a href=\"https:\/\/threatpost.com\/black-energy-malware-may-be-exploiting-patched-wincc-flaw\/109835\/\">Black Energy<\/a>, for example, was suspected of exploiting a patched vulnerability in the Siemens SIMATIC WinCC software.<\/p>\n<p><strong>Sabotage and Terrorism<\/strong><\/p>\n<p>Unlike malware that holds data for ransom, when a malicious actor decides to use a wiper, there\u2019s often no direct financial motivation. For businesses it can be catastrophic, given that there\u2019s no expectation of data recovery.<\/p>\n<p>Ventura postulated that the goal of the actors is akin to that of a terrorist attack: To sabotage and sow fear, uncertainty and doubt.<\/p>\n<p>\u201cIn the past, wiper attacks have been used by malicious actors with a dual purpose: Generate social destabilization while sending a public message, while also destroying all traces of their activities,\u201d he wrote.<\/p>\n<p>While wiper malware can be business-killing, there are steps that companies can take to defend themselves. The way to thwart these attacks often falls back to the basics.<\/p>\n<p>It\u2019s also used after nation-state sponsored cyber-espionage activity, to make attribution and damage assessment difficult or impossible. In the case of <a href=\"https:\/\/threatpost.com\/details-emerge-on-sony-wiper-malware-destover\/109727\/\">Destover<\/a>, the event horizon was set to occur after the actors, possibly <a href=\"https:\/\/threatpost.com\/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group\/116422\/\">affiliated<\/a> with the North Korea-linked Lazarus Group, picked the networks of Sony Pictures clean of information.<\/p>\n<p>\u201cBy having certain protections in place \u2014 a tested cybersecurity incident response plan, a risk-based patch management program, a tested and cybersecurity-aware business continuity plan, and network and user segmentation on top of the regular software security stack \u2014 an organization dramatically increases its resilience against these kind of attacks,\u201d said Ventura.<\/p>\n<p> READ MORE <a href=\"https:\/\/threatpost.com\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/131836\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The actors behind this kind of code, whether they\u2019re bent on sending a political message or simply wanting to cover their tracks after data exfiltration, have adopted various techniques to carry out those activities. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":449,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[3],"tags":[335,336,125,337,126,18,77,28,338,339,340,341,342],"class_list":["post-448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threatpost","tag-anatomy-of-malware","tag-cisco-talos","tag-critical-infrastructure","tag-expetr-not-petya","tag-government","tag-hacks","tag-iot","tag-malware","tag-notpetya","tag-olympic-destroyer","tag-shamoon","tag-techniques","tag-wiper"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2018-05-10T10:35:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/05\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png\" \/>\n\t<meta property=\"og:image:width\" content=\"225\" \/>\n\t<meta property=\"og:image:height\" content=\"767\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware\",\"datePublished\":\"2018-05-10T10:35:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/\"},\"wordCount\":1204,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png\",\"keywords\":[\"anatomy of malware\",\"Cisco Talos\",\"Critical Infrastructure\",\"ExPetr\\\/Not Petya\",\"Government\",\"Hacks\",\"IoT\",\"Malware\",\"NotPetya\",\"Olympic Destroyer\",\"shamoon\",\"techniques\",\"Wiper\"],\"articleSection\":[\"Threatpost\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/\",\"name\":\"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png\",\"datePublished\":\"2018-05-10T10:35:20+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/05\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png\",\"width\":225,\"height\":767},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"anatomy of malware\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/anatomy-of-malware\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/","og_locale":"en_US","og_type":"article","og_title":"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2018-05-10T10:35:20+00:00","og_image":[{"width":225,"height":767,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/05\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware","datePublished":"2018-05-10T10:35:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/"},"wordCount":1204,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/05\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png","keywords":["anatomy of malware","Cisco Talos","Critical Infrastructure","ExPetr\/Not Petya","Government","Hacks","IoT","Malware","NotPetya","Olympic Destroyer","shamoon","techniques","Wiper"],"articleSection":["Threatpost"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/","url":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/","name":"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/05\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png","datePublished":"2018-05-10T10:35:20+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/05\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/05\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware.png","width":225,"height":767},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"anatomy of malware","item":"https:\/\/www.threatshub.org\/blog\/tag\/anatomy-of-malware\/"},{"@type":"ListItem","position":3,"name":"Secrets of the Wiper: Inside the World\u2019s Most Destructive Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=448"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/448\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/449"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}