{
	"id": "1bf93be4-3bda-4031-81ca-4092c7e9e1e3",
	"created_at": "2026-04-06T00:10:06.824067Z",
	"updated_at": "2026-04-10T03:30:36.217943Z",
	"deleted_at": null,
	"sha1_hash": "5e8b3c3093f16e6616e5dde5417347e231473aad",
	"title": "The Anatomy of Wiper Malware, Part 3: Input/Output Controls | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8165321,
	"plain_text": "The Anatomy of Wiper Malware, Part 3: Input/Output Controls |\r\nCrowdStrike\r\nBy Ioan Iacob - Iulian Madalin Ionita\r\nArchived: 2026-04-02 10:40:36 UTC\r\nThis is the third blog post in a four-part series. Read Part 1 | Part 2 | Part 4. In Part 1 of this four-part blog series\r\nexamining wiper malware, the CrowdStrike Endpoint Protection Content Research Team introduced the topic of\r\nwipers, reviewed their recent history and presented common adversary techniques that leverage wipers to destroy\r\nsystem data. In Part 2, the team dove into third-party drivers and how they may be used to destroy system data. In\r\nPart 3, we cover various input/output controls (IOCTLs) in more detail and how they are used to achieve different\r\ngoals — including acquiring information about infected machines and locking/unlocking disk volumes, among\r\nothers.\r\nInput/Output Control (IOCTL) Primer\r\nThroughout our analysis, we encountered different uses of IOCTLs across samples. These are used to obtain\r\ninformation about volumes or disks, as well as to achieve other functionalities like locking, unlocking,\r\nunmounting a volume, fragmentation of data on disk, and others. The analyzed samples use the following\r\nIOCTLs:\r\nIOCTLs IOCTL Constant Name Used By\r\n0x00070000 IOCTL_DISK_GET_DRIVE_GEOMETRY\r\nPetya wiper variant, Dustman\r\nand ZeroCleare\r\n0x000700A0 IOCTL_DISK_GET_DRIVE_GEOMETRY_EX\r\nDriveSlayer, Dustman and\r\nZeroCleare, IsaacWiper\r\n0x00070048 IOCTL_DISK_GET_PARTITION_INFO_EX Shamoon 2, Petya wiper variant\r\n0x00070050 IOCTL_DISK_GET_DRIVE_LAYOUT_EX DriveSlayer\r\n0x0007405C IOCTL_DISK_GET_LENGTH_INFO\r\nStoneDrill, Dustman and\r\nZeroCleare\r\n0x0007C054 IOCTL_DISK_SET_DRIVE_LAYOUT_EX CaddyWiper\r\n0x0007C100 IOCTL_DISK_DELETE_DRIVE_LAYOUT SQLShred\r\n0x00090018 FSCTL_LOCK_VOLUME\r\nDriveSlayer, StoneDrill,\r\nIsaacWiper\r\n0x0009001C FSCTL_UNLOCK_VOLUME IsaacWiper\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 1 of 13\n\n0x00090020 FSCTL_DISMOUNT_VOLUME\r\nDriveSlayer, Petya wiper variant,\r\nStoneDrill\r\n0x00090064 FSCTL_GET_NTFS_VOLUME_DATA DriveSlayer\r\n0x00090068 FSCTL_GET_NTFS_FILE_RECORD DriveSlayer\r\n0x0009006F FSCTL_GET_VOLUME_BITMAP DriveSlayer\r\n0x00090073 FSCTL_GET_RETRIEVAL_POINTERS DriveSlayer, Shamoon 2\r\n0x00090074 FSCTL_MOVE_FILE DriveSlayer\r\n0x000900A8 FSCTL_GET_REPARSE_POINT SQLShred\r\n0x000980C8 FCSTL_SET_ZERO_DATA DoubleZero\r\n0x002D1080 IOCTL_STORAGE_GET_DEVICE_NUMBER DriveSlayer, IsaacWiper\r\n0x00560000 IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS\r\nDriveSlayer, Petya wiper variant,\r\nSLQShred, Dustman and\r\nZeroCleare\r\nWhile the majority of the wiper families use a few IOCTLs, DriveSlayer makes use of an extensive list of IOCTLs\r\nto achieve its goals. Some IO control codes are used to acquire information about the disks of the infected\r\nmachine like NTFS partition tables, move files, fingerprint the drive, etc.\r\nAcquiring Information\r\nIn the example below, DriveSlayer is using the IOCTL_DISK_GET_DRIVE_LAYOUT_EX and\r\nIOCTL_DISK_GET_DRIVE_GEOMETRY_EX IOCTLs to obtain information about the partitions and\r\ngeometry of a drive. This helps the wiper to determine the location of the MFTs and MBRs in order for them to be\r\nscheduled for wiping. Similar implementations can be found using the other IOCTLs in IsaacWiper, Petya wiper\r\nvariant, Dustman or ZeroCleare.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 2 of 13\n\nFigure 1. DriveSlayer acquires disk layout information via IOCTL_DISK_GET_DRIVE_LAYOUT_EX, followed\r\nby the usage of the returned data to determine which disk sectors to overwrite\r\nDriveSlayer also uses IOCTL_STORAGE_GET_DEVICE_NUMBER to grab information such as partition\r\nnumber and device type, which is later used in the wiper process.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 3 of 13\n\nFigure 2. Acquire various other info via the IOCTL_STORAGE_GET_DEVICE_NUMBER IOCTL\r\nVolume Unmounting\r\nThe FSCTL_LOCK_VOLUME and FSCTL_DISMOUNT_VOLUME IOCTLs are used by DriveSlayer to\r\nlock and unmount a disk volume after the wiping routine has finished. In order to do so, DriveSlayer grabs a list of\r\nall the drive letters via GetLogicalDriveStrings, iterates through all of them, acquires a handle to each volume\r\nand sends two IOCTLs via DeviceIoControl API. A similar implementation is done by the Petya wiper variant\r\nand StoneDrill as well.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 4 of 13\n\nFigure 3. Acquire list of drives via the GetLogicalDriveStrings API and send it to the callback function to lock and\r\ndismount\r\nThe usage of FSCTL_LOCK_VOLUME and FSCTL_DISMOUNT_VOLUME IO control codes can be seen\r\nin the following function call.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 5 of 13\n\nFigure 4. Usage of FSCTL_LOCK_VOLUME and FSCTL_DISMOUNT_VOLUME for locking and dismounting\r\nthe volume\r\nDestroying All Disk Contents\r\nBesides the common approach of overwriting the MBR, SQLShred also calls the DeviceIoControl API with the\r\nIOCTL_DISK_DELETE_DRIVE_LAYOUT IO Control Code in order to make sure the disk is formatted from\r\nsector 0x00.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 6 of 13\n\nFigure 5. Usage of IOCTL_DISK_DELETE_DRIVE_LAYOUT that removes the boot signature from the master\r\nboot record, so that the disk will be formatted from sector zero to the end of the disk\r\nOverwriting Disk Clusters\r\nThe FSCTL_GET_VOLUME_BITMAP IOCTL is used by DriveSlayer to acquire a bitmap representation of\r\nthe occupied clusters of a disk volume. The bitmap representation is returned as a data structure that describes the\r\nallocation state of each cluster in the file system, where positive bits indicate if the cluster is in use. DriveSlayer\r\nwill use this bitmap to overwrite occupied clusters with randomly generated data.\r\nFigure 6. Grab bitmap representation of cluster usage via FSCTL_GET_VOLUME_BITMAP\r\nData Fragmentation\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 7 of 13\n\nDriveSlayer uses two IOCTLs to fragment the data on disk, thus making file recovery harder. In order to fragment\r\nthe data, the wiper determines the location on disk of individual files by requesting cluster information via the\r\nFSCTL_GET_RETRIEVAL_POINTERS IOCTL. The wiper continues by relocating virtual clusters using the\r\nFSCTL_MOVE_FILE IOCTL.\r\nFigure 7. Fragmentation of data by using the FSCTL_MOVE_FILE IOCTL\r\nFile Type Determination\r\nWhen getting information about files, besides GetFileAttributesW API, SQLShred wiper is also using the\r\nFSCTL_GET_REPARSE_POINT IOCTL to retrieve the reparse point data associated with the file or directory.\r\nIn this case, the wiper is using it to check if the file is a symlink or the directory represents a mount point.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 8 of 13\n\nFigure 8. Obtaining the reparse point data associated with the file or directory by using\r\nFSCTL_GET_REPARSE_POINT IOCTL, followed by checks for symlinks or mount points\r\nFile Iteration\r\nWipers like DriveSlayer will attempt to determine existing files by parsing the MFT rather than walking the\r\ndirectories and files recursively. The FSCTL_GET_NTFS_VOLUME_DATA IOCTL is used to obtain\r\ninformation about the specified NTFS volume, like volume serial number, number of sectors and clusters, free as\r\nwell as reversed clusters and even the location of the MFT and its size. All of this information is part of the\r\nNTFS_VOLUME_DATA_BUFFER structure that is sent as an argument to the DeviceIoControl API. Malware\r\nuses this IOCTL to determine the location of the MFT and MFT-mirror in order to delete both of them by\r\noverwriting the raw sectors.\r\nFigure 9. Gather volume data via the FSCTL_GET_NTFS_VOLUME_DATA IOCTL\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 9 of 13\n\nThe FSCTL_GET_NTFS_FILE_RECORD IOCTL is used to enumerate files from a NTFS formatted drive.\r\nThe information is returned inside the NTFS_FILE_RECORD_OUTPUT_BUFFER structure that is sent as an\r\nargument to the DeviceIoControl API. Wipers like DriveSlayer use this IOCTL in order to determine the raw\r\nsectors associated with files and queue them for the wiping routine.\r\nFigure 10. Retrieve file record information via the FSCTL_GET_NTFS_FILE_RECORD IOCTL\r\nHow the CrowdStrike Falcon® Platform Offers Continuous Monitoring and\r\nVisibility\r\nThe CrowdStrike Falcon®® platform takes a layered approach to protect workloads. Using on-sensor and cloud-based machine learning, behavior-based detection using indicators of attack (IOAs), and intelligence related to\r\ntactics, techniques and procedures (TTPs) employed by threat actors, the Falcon platform equips users with\r\nvisibility, threat detection, automated protection and continuous monitoring for any environment, reducing the\r\ntime to detect and mitigate threats.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 10 of 13\n\nFigure 11. Falcon UI screenshot showcasing how wipers are detected by the Falcon agent\r\nFigure 12. Falcon UI screenshot showcasing detection of Petya by the Falcon sensor\r\nSummary\r\nWipers frequently use various IOCTL codes in order to enrich their capabilities. Input/Output control codes can be\r\nused for various types of operations; they can help to enumerate files, locate the Master File Table (MFT),\r\ndetermine location of files on the raw disk, unmount drivers, fragment files, etc. These codes can be sent directly\r\nto the volume or drive itself, and even to the third-party drivers that we discussed in part 2. In the next and final\r\npart of the wiper blog series, we will cover some less frequent techniques seen in wiper malware. The techniques\r\nare used to augment the existing destructive capabilities described so far and were seen in some particular wiper\r\nfamilies.\r\nHashes\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 11 of 13\n\nWiper name SHA256 hash value\r\nApostle\r\n6fb07a9855edc862e59145aed973de9d459a6f45f17a8e779b95d4c55502dcce\r\n19dbed996b1a814658bef433bad62b03e5c59c2bf2351b793d1a5d4a5216d27e\r\nCaddyWiper a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\nDestover e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a\r\nDoubleZero\r\n3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe\r\n30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a\r\nDriveSlayer\r\n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\na259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec\r\nDustman f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7\r\nIsaacWiper\r\n13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033\r\n7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0\r\nIsraBye 5a209e40e0659b40d3d20899c00757fa33dc00ddcac38a3c8df004ab9051de0d\r\nKillDisk\r\n8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5\r\n1a09b182c63207aa6988b064ec0ee811c173724c33cf6dfe36437427a5c23446\r\nMeteor and\r\nComet/Stardust\r\n2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\r\nd71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e\r\n6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4\r\n9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473\r\nOrdinypt085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09\r\nPetya\r\n0f732bc1ed57a052fecd19ad98428eb8cc42e6a53af86d465b004994342a2366\r\nfd67136d8138fb71c8e9677f75e8b02f6734d72f66b065fc609ae2b3180a1cbf\r\n4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c\r\nShamoon\r\ne2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a\r\nc7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a\r\n7dad0b3b3b7dd72490d3f56f0a0b1403844bb05ce2499ef98a28684fbccc07b4\r\n8e9681d9dbfb4c564c44e3315c8efb7f7d6919aa28fcf967750a03875e216c79\r\nf9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72\r\n4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400\r\nSQLShred/Agrius\r\n18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f\r\ne37bfad12d44a247ac99fdf30f5ac40a0448a097e36f3dbba532688b5678ad13\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 12 of 13\n\nStoneDrill\r\n62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260\r\n2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83\r\nbf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc\r\nTokyo Olympic\r\nwiper\r\nfb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97\r\nc58940e47f74769b425de431fd74357c8de0cf9f979d82d37cdcf42fcaaeac32\r\nWhisperGate\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\r\n44ffe353e01d6b894dc7ebe686791aa87fc9c7fd88535acc274f61c2cf74f5b8\r\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\r\nZeroCleare becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86\r\nAdditional Resources\r\nLearn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your\r\norganization, workers and data, wherever they are located.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/"
	],
	"report_names": [
		"the-anatomy-of-wiper-malware-part-3"
	],
	"threat_actors": [
		{
			"id": "21e01940-3851-417f-9e90-1a4a2da07033",
			"created_at": "2022-10-25T16:07:23.299369Z",
			"updated_at": "2026-04-10T02:00:04.527895Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow",
				"DEV-0227",
				"Pink Sandstorm",
				"SharpBoys",
				"Spectral Kitten"
			],
			"source_name": "ETDA:Agrius",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agrius",
				"BFG Agonizer",
				"BFG Agonizer Wiper",
				"DEADWOOD",
				"DETBOSIT",
				"Detbosit",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"PW",
				"PartialWasher",
				"PartialWasher Wiper",
				"SQLShred",
				"Sqlextractor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e",
			"created_at": "2025-08-07T02:03:24.783147Z",
			"updated_at": "2026-04-10T02:00:03.664754Z",
			"deleted_at": null,
			"main_name": "COBALT SHADOW",
			"aliases": [
				"AMERICIUM ",
				"Agonizing Serpens ",
				"Agrius",
				"Agrius ",
				"BlackShadow",
				"DEV-0227 ",
				"Justice Blade ",
				"Malek Team",
				"Malek Team ",
				"MoneyBird ",
				"Pink Sandstorm ",
				"Sharp Boyz ",
				"Spectral Kitten "
			],
			"source_name": "Secureworks:COBALT SHADOW",
			"tools": [
				"Apostle",
				"DEADWOOD",
				"Fantasy wiper",
				"IPsec Helper",
				"MiniDump",
				"Moneybird ransomware",
				"Sandals",
				"SecretsDump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4023e661-f566-4b5b-a06f-9d370403f074",
			"created_at": "2024-02-02T02:00:04.064685Z",
			"updated_at": "2026-04-10T02:00:03.547155Z",
			"deleted_at": null,
			"main_name": "Pink Sandstorm",
			"aliases": [
				"AMERICIUM",
				"BlackShadow",
				"DEV-0022",
				"Agrius",
				"Agonizing Serpens",
				"UNC2428",
				"Black Shadow",
				"SPECTRAL KITTEN"
			],
			"source_name": "MISPGALAXY:Pink Sandstorm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7d982d5b-3428-483c-8804-c3ab774f1861",
			"created_at": "2024-11-01T02:00:52.70975Z",
			"updated_at": "2026-04-10T02:00:05.357255Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"Agrius",
				"Pink Sandstorm",
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow"
			],
			"source_name": "MITRE:Agrius",
			"tools": [
				"NBTscan",
				"Mimikatz",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"DEADWOOD",
				"BFG Agonizer",
				"ASPXSpy"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775791836,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e8b3c3093f16e6616e5dde5417347e231473aad.pdf",
		"text": "https://archive.orkl.eu/5e8b3c3093f16e6616e5dde5417347e231473aad.txt",
		"img": "https://archive.orkl.eu/5e8b3c3093f16e6616e5dde5417347e231473aad.jpg"
	}
}