back to agenda

on this page

Wipermania: an all you can wipe buffet

  • 18:10
  • Tue
  • 15 Nov
Technical Focus
Reverse Engineering
Briefing Stage 4


In early 2022, Ukrainian companies were struck by multiple destructive wipers, attacking various companies in several sectors. This raised questions about the usage and impact of “digital weapons” within the security community, even though wipers themselves weren’t new. The infamous Shamoon wiper dates back more than a decade ago. How comes that wipers were as effective a decade ago, as they are in the present day? What has changed, and what remained the same?

Based on the analysis of more than twenty recent wiper families, their trends, techniques, and overlap with other wipers will be discussed. Reusing code and techniques may link several wipers to the same actor, although the mere presence of such a link often leads to a hasty conclusion. This briefing is not the generic run-of-the-mill comparison of malware families, as it includes technical aspects of the analysed wipers, thus focusing on both the high- and low-level aspects of the destructive software.

The analysis does not only focus on the wipers used against Ukrainian victims, but also more generic wipers that were found in the wild around the same time. The parallels and differences between the targeted and generic wipers provide several interesting insights for the audience.

This briefing will cover vendor agnostic advise regarding detection and prevention of wipers, based on the technical analysis. Along with these tips, some pitfalls with regards to detection mechanisms will be given. The briefing is most useful for blue teams, but is also insightful for students, purple teamers, risk assessment analysts, and higher-level management due to its layered approach when dealing with technical topics, breaking them down in understandable sections and clearly explaining the shown code along the way.