{
	"id": "dd3fd1e9-3409-4c45-8cd1-fc14a08c1cf8",
	"created_at": "2026-04-06T00:13:53.75889Z",
	"updated_at": "2026-04-10T13:11:49.673739Z",
	"deleted_at": null,
	"sha1_hash": "2ad735c2f0d7f502e329007c676fd6cf80737300",
	"title": "The Year of the Wiper | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1762423,
	"plain_text": "The Year of the Wiper | FortiGuard Labs\r\nBy Geri Revay\r\nPublished: 2023-01-24 · Archived: 2026-04-05 14:44:57 UTC\r\nFortiGuard Labs has been actively tracking wiper malware targeting Ukrainian organizations since the start of the\r\n2022 Russia-Ukraine conflict. The sudden spike in wiper malware began early in the year with numerous new\r\nwiper samples targeted at Ukraine. It displayed a side of cyberattacks we rarely see: pure destruction. We\r\npublished an article last April 2022 to help people understand the context, history, and technical setup of wiper\r\nattacks. This post focuses on what happened the rest of the year and how wiper malware and their attack scenarios\r\nhave changed.\r\nAffected Platforms: Multiple\r\nImpacted Users: Large organizations\r\nImpact: Data loss and OS and file corruption\r\nSeverity Level: High\r\nRecap\r\nSince that last report, quite a few new samples have been launched. Figure 1 shows an updated version of a\r\ntimeline we have used in the past. In April, we were already surprised by the significant increase in wipers. As you\r\ncan see, it increased even further over the rest of the year.\r\nFigure 1 - Wiper malware timeline\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 1 of 9\n\nWipers in the War\r\nMuch of the wiper malware seen in the first half of 2022, whether attributed or not, was deployed against\r\nUkrainian organizations. These include HermeticWiper, CaddyWiper, IsaacWiper, WhisperGate, and others. When\r\nyou think about it, the growth in wiper malware during a conflict is hardly a surprise. It can scarcely be\r\nmonetized. The only viable use case is destruction, sabotage, and cyberwar.\r\nOne interesting event was the AcidRain wiper malware that targeted the satellite modems of a global satellite\r\ncommunications provider, which caused modems to lose connections to their satellite network. The message was\r\nclear: even if a cyberattack is used to target Ukraine, its effects can easily spill over and affect other countries and\r\norganizations. It is vital that we track these new highly malicious attacks.\r\nMotivation: Hacktivism\r\nAs the year progressed, pro-Russian hacktivism also increased. We saw that in our telemetry, showing, for\r\nexample, an increase in DDOS attacks in Nordic countries, especially Finland (Figure 2).\r\nFigure 2 - Fortinet combined IPS, malware, and botnet detections in the Nordic countries\r\nHowever, hacktivism is usually associated with DoS and defacement attacks. But this time, some actors began\r\nrepurposing their ransomware as wipers by not providing a decryption key. And if no decryption is provided, then\r\nransomware essentially acts as a wiper. We saw actors begin to do this intentionally.\r\nFor instance, the Somnia ransomware was deployed at several Ukrainian organizations. The attackers\r\ncompromised systems using a fake software installer and established a persistent presence. Like most ransomware\r\nattacks, they exfiltrated data and kept their access as long as needed. But at the end of the attack, no decryptor was\r\noffered, meaning the files remained encrypted and useless.\r\nThe Most Intriguing Wiper of the Year\r\nThe most intriguing wiper we documented in the second half of 2022 was one named ‘Azov.’ Its second version\r\nquickly drew media attention because it delivered a message written in the name of well-known security\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 2 of 9\n\nresearchers. These researchers denied any connection to the malware. It also delivered a pro-Ukrainian message\r\nclaiming it was using the malware to draw more attention to the Ukraine-Russia war. However, so far, no\r\nattribution has been made.\r\nHowever, as it turned out, the message was not the most interesting part of the malware. It is also very compelling\r\nfrom a technical perspective.\r\nFirst, it was written in the assembly language and built with the FASM tool. This is unusual because most new\r\nmalware is written in languages such as python, .NET or C/C++. It also contradicts everyone’s first impression\r\nthat it was a prank used to blame security researchers. However, it seems unlikely that anybody would go to the\r\neffort to write malware in assembly just for a joke.\r\nIt also implements polymorphic code creation to inject itself into legitimate EXE files on the infected machine. It\r\nthen executes a backdooring function by injecting a modified version of itself into EXE files. This provides\r\npersistence to the malware because it can run again once the backdoored files are executed.\r\nIt also implements a variety of anti-analysis techniques:\r\nOpaque predicates\r\nAnti-debug\r\nSyntactic bloat and junk code\r\nUsing CALL instructions instead of RET or JMP\r\nDynamically creating the Import Address Table\r\nAll this demonstrates that this malware was not created for fun. It is a sophisticated wiper that implements a\r\nvariety of modern techniques, clearly showing that a sophisticated threat actor.\r\nImproving Performance\r\nRansomware authors understand that encryption speed is often crucial for a successful operation. Once encryption\r\nis started, they are in a race against the incident response team, who might detect them at any time. As a result,\r\nperformance optimization was developed. Some new ransomware now implements a multi-threaded architecture\r\nthat enables it to run multiple encryption threads in parallel. Other operators have realized that encrypting files in\r\ntheir entirety is time-consuming—and may not even be necessary. The BlackCat ransomware, for instance,\r\nimplements multiple different encryption strategies with varying improvements in performance (see this\r\nVirusBulletin presentation).\r\nA similar problem exists for wipers. Traditionally, wipers would erase an entire disk using a kernel driver, delete\r\nfiles using different techniques, and/or alter the content of files (more on techniques in our last article). These all\r\ntake time. As a result, some authors began experimenting with performance optimization.\r\nThe DoubleZero wiper, for instance, only erases the first 4096 bytes of targeted files. This means that most of the\r\ndata in an average file would not be erased. However, it’s also true that restoring these files at scale would be very\r\nimpractical. For instance, modern Microsoft .docx files are essentially a collection of compressed XML files.\r\nDeleting the first 4096 bytes from them would corrupt the compression and the generic file structure, meaning\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 3 of 9\n\nthese files would not work anymore. Recreating a functioning file with manual forensic work might be possible,\r\nbut it is simply not feasible when dealing with hundreds or thousands of files.\r\nThe Azov wiper also implemented a somewhat more optimized wiping process. It does not remove all data in each\r\nfile. Instead, it only targets 666 bytes in an alternating pattern (666 bytes overwritten, 666 bytes intact, 666 bytes\r\noverwritten, etc.) up to 4 GB.\r\nTargeting OT\r\nOT environments also saw their fair share of wipers. We already mentioned the attack against the satellite provider\r\n(and, by extension, the German windmills). Another interesting attack using the Industroyer.V2 malware targeted\r\na Ukrainian high-voltage electric substation. That attack aimed to manipulate the electric relays to take the\r\nsubstation offline. In the context of OT, I would consider the use of the Industroyer.V2 malware in this context as\r\na wiper. Traditional IT wipers have the goal of destroying the crown jewels of IT, the data. Industroyer.V2 was\r\nused to destroy the crown jewel of that substation, its operation.\r\nIf this was not enough, the Industroyer.V2 malware was deployed along with three other wipers, potentially from\r\ndifferent actors:\r\nCaddyWiper for Windows machines\r\nAWFULSHRED for Linux, Unix machines\r\nSOLOSHRED for Solaris machines\r\nThis helps serve as a reminder that OT environments are being actively targeted by different threat actors, ranging\r\nfrom ransomware operators to state-sponsored APTs.\r\nIn Development\r\nAn interesting new project to pay attention to is the Endurance wiper. It is an open-source wiper that seemingly\r\naspires to become ransomware. Figure 3 shows the malware’s features and readiness state as described by the\r\nauthor.\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 4 of 9\n\nFigure 3 - Endurance wiper/ransomware features\r\nCurrently, Endurance’s file-wiping capabilities offer three wiping modes, with each mode defining how many\r\ntimes content should be overwritten. It also offers CONTENT deletion and FILE deletion functions. The\r\nCONTENT deletion (Figure 4) function is responsible for overwriting the contents of a file on disk.\r\nFigure 4 - Loop to overwrite the file's content multiple times\r\nThe FILE deletion function (Figure 5) updates all file attributes and then erases the file from the disk.\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 5 of 9\n\nFigure 5 - File deletion overwrites all file attributes and removes the file\r\nThis tool is actively in development, although at the time of testing, we had to fix the code  build it. Since it is\r\nopen-source, this could provide an easy entry point for attackers wanting to join the wiper/ransomware game.\r\nConclusion\r\n2022 provided us with new perspectives on destructive malware. We saw different wiping techniques, different\r\nmotivations, and differentmotivations, actors, and deployment scenarios. New wiper instances, such as the Azov\r\nand Endurance wipers, show that actors are actively engaged in increasingly malicious activity. They are also\r\ntrying to address shorter threat detection and response time by effectively optimizing the performance of their\r\nwiping strategies. And we are also seeing increased attention being paid to OT networks, such as the example of\r\nthe Industroyer.V2 malware. The point is clear. The gloves are off as threat actors increasingly engage in attacks\r\ndesigned with one purpose: to destroy their targets.\r\nFortinet Protection\r\nThe Fortinet Antivirus engine protects against all binaries discussed in this report using the following signatures:\r\nW32/KillDisk.NCV!tr\r\nW32/Agent.OJC!worm\r\nW32/KillMBR.NHQ!tr\r\nW32/CaddyWiper.NCX!tr\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 6 of 9\n\nW32/KillFiles.NKU!tr.ransom\r\nW32/KillMBR.NGI!tr\r\nMSIL/Agent.FP!tr.dldr\r\nMSIL/Agent.QWILJV!tr\r\nW32/KillFiles.NKU!tr.ransom\r\nMSIL/VVH!tr\r\nMSIL/Agent.VVH!tr\r\nW32/DISTTRACK.C!tr\r\nW32/Generic.BQYIIWO!tr\r\nW64/DistTrack.A!tr\r\nW32/Ordinypt.5873!tr.ransom\r\nW32/OlympicDestroyer.A!tr\r\nW32/Petya.EOB!tr\r\nW32/Petya.A!tr.ransom\r\nW64/Petya.BG!tr\r\nW32/Agent.F0FC!tr\r\nW64/Dustman.KH!tr\r\nW32/Distrack!tr\r\nW32/Agent.XACVYS!tr\r\nW32/Distrack!tr\r\nMSIL/DZeroWiper.CK!tr\r\nELF/AcidRain.A!tr\r\nMSIL/KillMBR.X!tr\r\nMSIL/KillDisk.I!tr\r\nW32/PossibleThreat\r\nThe FortiGuard Web Filtering service rates the C2 server as ‘Malicious’ and blocks it accordingly.\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 7 of 9\n\nFortiMail and FortiSandbox detect and quarantine the malicious attachments in this campaign, and Fortinet’s CDR\r\n(Content Disarm and Reconstruction) service can disable them.\r\nFortiEDR natively detects and blocks the malicious executables identified in the report based on their behavior.\r\nIn addition to these protections, Fortinet can help train users to detect and understand phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nOur FREE NSE training program—NSE 1 – Information Security Awareness—includes a module on Internet\r\nthreats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIOCs\r\n650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e - Azov\r\n100c5e4d5b7e468f1f16b22c05b2ff1cfaa02eafa07447c7d83e2983e42647f0 -\r\nSomnia_07_08_22_with_FunnySomnia.rar\r\nac5e68c15f5094cc6efb8d25e1b2eb13d1b38b104f31e1c76ce472537d715e08 -\r\nSomnia_07_08_22_with_FunnySomnia.exe (Somnia)\r\n99cf5c03dac82c1f4de25309a8a99dcabf964660301308a606cdb40c79d15317 - 1.exe (Cobalt Strike Beacon)\r\n156965227cbeeb0e387cb83adb93ccb3225f598136a43f7f60974591c12fafcf - funnysomnia.exe\r\ne449c28e658bafb7e32c89b07ddee36cadeddfc77f17dd1be801b134a6857aa9 - text.exe (Somnia*)\r\nfbed7e92caefbd74437d0970921bfd7cb724c98c90efd9b6d0c2ac377751c9e5 - Ip_scanner.zip\r\n06fe57cadb837a4e3b47589e95bb01aec1cfb7ce62fdba1f4323bb471591e1d2 - Ip_scanner.exe (Themida; Vidar)\r\n1e0facd62d1958ccf79e049270061a9fce3223f7986c526f6f3a93ef85180a72 - Ip_scanner_unpacked.exe (Vidar)\r\n3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe – DoubleZero\r\n931b6b29e13d76a0e2e1e8b6910873d5ff7b88fd8c51cadf46057e47b695f187 – Endurance\r\nBDF8B53D73CA1ED1B649B32A61608B2CF952397EF3D5FC2E6E9F41AD98C40110 – Cry Wiper\r\n91a9180a9cf7674c34ed53a8aa4e36b798334d1f448aeaf1afb9add4fd322b6e – Fantasy\r\n0ad0cd07ca69d8fd2b075fef6e6dd5e9f7debca92af3a6b84d83e51e23bc182d – Bruh Wiper\r\nLearn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s\r\nFortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 8 of 9\n\nSource: https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nhttps://www.fortinet.com/blog/threat-research/the-year-of-the-wiper\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper"
	],
	"report_names": [
		"the-year-of-the-wiper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ad735c2f0d7f502e329007c676fd6cf80737300.pdf",
		"text": "https://archive.orkl.eu/2ad735c2f0d7f502e329007c676fd6cf80737300.txt",
		"img": "https://archive.orkl.eu/2ad735c2f0d7f502e329007c676fd6cf80737300.jpg"
	}
}