Skip to content

T1561.001 Disk Content Wipe

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.321 Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.2 Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content.32 This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.2

Item Value
ID T1561.001
Sub-techniques T1561.001, T1561.002
Tactics TA0040
Platforms Linux, Windows, macOS
Version 1.0
Created 20 February 2020
Last Modified 12 April 2023

Procedure Examples

ID Name Description
S1068 BlackCat BlackCat has the ability to wipe VM snapshots on compromised networks.87
S0697 HermeticWiper HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.1413
G0032 Lazarus Group Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.2
S0576 MegaCortex MegaCortex can wipe deleted data from all drives using cipher.exe.9
S0364 RawDisk RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.2
S0380 StoneDrill StoneDrill can wipe the accessible physical or logical drives of the infected machine.6
S0689 WhisperGate WhisperGate can overwrite sectors of a victim host’s hard drive at periodic offsets.111012

Mitigations

ID Mitigation Description
M1053 Data Backup Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.5 Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0016 Drive Drive Access
DS0027 Driver Driver Load
DS0009 Process Process Creation

References

  1. Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. 

  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. 

  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  4. Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. 

  5. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019. 

  6. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  7. Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022. 

  8. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  9. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  10. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  11. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022. 

  12. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  13. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. 

  14. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.