A wiper is malicious software whose primary objective is to destroy data, render systems unbootable, or otherwise sabotage IT infrastructure. Unlike ransomware, which encrypts files to extract payment, a wiper offers no recovery path—its goal is disruption, signaling, or denial of service. Some wipers masquerade as ransomware (showing fake ransom notes) to obscure attribution or buy time before victims realize recovery is impossible.
Technically, wipers operate by overwriting the Master Boot Record (MBR), destroying partition tables, encrypting files with discarded keys, or corrupting firmware. Effects range from individual file deletion to full disk destruction.
Wipers are closely associated with state-linked operations and geopolitical conflict:
- Shamoon (2012) struck Saudi Aramco, reportedly affecting roughly 30,000 workstations; it was widely attributed to Iran-linked actors.
- NotPetya (June 2017) was disguised as ransomware but functioned as a wiper, spreading from Ukrainian accounting software M.E.Doc and causing global damage at Maersk, Merck, FedEx's TNT, and others. The U.S., U.K., and EU attributed it to Russia's GRU.
- WhisperGate and HermeticWiper were deployed against Ukrainian targets in January and February 2022, immediately before and during Russia's full-scale invasion. Microsoft and ESET published technical analyses; Western governments attributed the campaigns to Russian state actors.
- Dark Seoul / Jokra (2013) wiped systems at South Korean banks and broadcasters and was attributed to North Korea.
From a policy perspective, wipers raise difficult questions under international law. Debates around the Tallinn Manual 2.0 address whether destructive cyber operations can constitute a use of force or armed attack under the UN Charter, and what thresholds trigger countermeasures. For MUN and policy researchers, wipers are central to discussions of cyber norms in the UN OEWG and GGE processes, critical-infrastructure protection, and attribution practice.
Example
In February 2022, ESET and Microsoft reported the HermeticWiper malware deployed against Ukrainian government and financial systems hours before Russia's invasion began.
Frequently asked questions
Ransomware encrypts data to extort payment and typically allows decryption after payment; a wiper destroys data with no intended recovery, though some wipers display fake ransom notes as a decoy.
Keep learning