Russian Invasion Sparks Global Wiper Malware Surge

The war in Ukraine has driven a new wave of destructive malware around the world, with cybercrime groups increasingly delivering it as a service, according to Fortinet.

The security vendor claimed that wiper malware quickly expanded last year beyond the borders of Ukraine, where it is being used by Russian forces. Fortinet recorded a 53% increase in activity from Q3 to Q4 2022.

“These new strains are increasingly being picked up by cyber-criminal groups and used throughout the growing Cybercrime-as-a-Service (CaaS) network,” explained chief security strategist, Derek Manky.

“Cyber-criminals are also now developing their own wiper malware which is being used readily across CaaS organizations, meaning that the threat of wiper malware is more widespread than ever and all organizations are a potential target, not just those based in Ukraine or surrounding countries.”

The vendor also warned that threat actors are increasingly reusing old botnet and malware code, in order to launch attack campaigns more cost effectively.

“Similar to musicians who remix chart-topping songs, cyber-criminals are reimagining old attack strains that proved successful in the past and reintroducing new and enhanced versions,” explained Manky.

“In the second half of 2022, we witnessed the resurgence of familiar names among botnets and malware variants, many of which are more than a year old.”

These included IoT botnet Mirai, remote access Trojan Gh0st RAT and the infamous Emotet Trojan, which Manky said had now split into six different variants. Another of the top strains spotted in the second half of 2022, Lazarus, dates back as far as 2010, he said.

Elsewhere, Fortinet warned that ransomware continues to pose a major threat to organizations thanks to the “as-a-service” model (RaaS) used to streamline its use in attacks by numerous affiliate groups.

“In the second half of 2022, the top five ransomware families accounted for roughly 37% of all ransomware. GandCrab, a RaaS malware introduced in 2018, topped the list,” explained Manky.

“Despite the threat actors behind GandCrab announcing that they were retiring, there were many iterations of GandCrab created during its heyday. There may still be a long tail of variants coming from this operation, which makes the work of groups like The Cybercrime Atlas Initiative essential as they aim to dismantle these large-scale criminal operations permanently.”

What’s Hot on Infosecurity Magazine?