Destructive Malware: Threat Detection and Incident Response

Imagine that you have a snack you want to eat while watching a movie on a Friday night. You look in your kitchen, only to find the snack missing. Whether a roommate hid the snack or ate it, you no longer have access to it, disrupting your evening plans. This destructive behavior interrupts your weekend objectives, but it’s pretty low stakes overall.


In a digital environment, destructive malware is the “snack thief” of the attack landscape since the attacker’s ultimate objective is to disrupt daily operations. With insight into what destructive malware is, you can implement threat detection and incident response capabilities to mitigate an event’s impact.

What is Destructive Malware?

Also called “crimeware” or “wiper”, destructive malware is malicious software designed to harm computer systems and data with the express purpose of destroying or rendering data unusable, interrupting operations, or disrupting infrastructures.


Destructive malware, like other attacks, can lead to:

  • Financial losses: business interruption, data and system recovery
  • Fines and penalties: noncompliance with regulations
  • Reputational damage: news and media reports about the incident
  • Customer churn: reduction in customer purchases or subscriptions arising from lost trust


Threat actors typically use the following methods for delivering destructive malware:

  • Email attachments
  • Downloads from malicious or compromised websites
  • Infected USB devices
  • Vulnerability exploitation


What are the types of destructive malware?

Separating the malicious software type from the destructive malware capability is critical when trying to detect and respond to an attack. For example, threat actors may use the following malware programs in an attack:

  • Trojans: malicious code disguised as legitimate files or software to grant unauthorized access when users install or open it
  • Worms: self-replicating malicious code that spreads across networks and systems without user interaction
  • Ransomware: malware that encrypts files or locks users out of systems
  • Botnets: networked infected devices that are remotely controlled by attackers to launch large scale attacks


The various destructive malware capabilities fall into three primary categories:

  • Wipers: Often targeting critical systems, this malware destroys or erases data from the compromised device to make the device or network inoperable.
  • Deleters: Malware that deletes files without overwriting them, enabling organizations to recover some or all of the data.
  • Flooders: While flooders may not destroy data, they send overwhelming amounts of traffic to a network or spam recipients with messages, like emails or texts, to disrupt the infrastructure.


Motivations Behind Deploying Destructive Malware

Destroying data and disrupting infrastructure creates unique challenges for victims. In a typical data breach, the organization needs to locate the stolen information to limit impact. For example, with a traditional ransomware attack, threat actors often hold the encrypted, unusable data hostage until the victim pays the ransom. With destructive malware, attackers may choose to delete the information, making recovery far more challenging.


Understanding the reasons behind attacks deploying destructive malware can help organizations focus their threat detection and incident recovery processes more appropriately. Some typical motivations include:

  • Financial Gain: Using fake ransomware to demand payment without providing a way to recover data
  • Destruction of Evidence: Erasing evidence of compromised systems while diverting security analyst attention from initial intrusion
  • Sabotage: Causing chaos and extensive infrastructure damage to shutdown operations
  • Cyberwar: Disrupting or damaging nation state infrastructure as part of a larger geopolitical objective, like damaging a country’s economy by targeting energy, transportation, communication, or financial systems


How Destructive Malware Works

Depending on the attackers’ objectives, they may use various destructive malware capabilities to achieve their goals.


File Discovery

A wiper or other destructive malware attack typically begins with enumeration, exploring file systems to identify target locations. While searching for target files, the malware usually tries to maintain the operating system’s stability to prevent disrupting the targeted machine’s or device’s operation.

Overwriting and Deleting Files and Drives

Once the attackers identify the target files, they may choose to overwrite the data rather than simply deleting it.


Some examples of this methodology include:

  • Overwriting all or part of a file using either the same or random byte values
  • Overwriting an entire file with zeros
  • Secure file deletion to prevent data recovery
  • Destroying disk drive contents, acting like a full-disk reformatting
  • Disk overwriting to remove information about drive partitions


Encrypting Files

Most often associated with ransomware, encrypting files makes them unusable to anyone without the required decryption capability. Although the data may be recovered by encrypting it, the process makes it unusable, achieving the destruction objective.

Overwriting Master Boot Record (MBR)

The MBR tells a computer how to startup an operating system. By destroying the MBR, the attackers prevent the device from working. While the data may remain on the hard drive, the inability to use the device accomplishes the destruction objective by causing chaos and operational downtime, even without an accompanying data loss.

Overwriting Master File Table (MFT)

The MFT identifies all files on a filesystem, including information like:

  • Metadata
  • File content
  • Storage location


Overwriting the MFT means that the device’s operating system has no way to locate the files. Although some files may be erased during the process, most still exist. However, the process archives the destruction objective by making it impossible for the operating system to locate the requested files, causing the desired operational outage.


Threat Detection and Incident Response (TDIR) Using MITRE ATT&CK

The ATT&CK Framework outlines various techniques that malicious actors use to help you detect potential data deletion within your systems. Looking at the Enterprise framework, ATT&CK identifies the following Detections and suggests monitoring for:

  • DS0010 Cloud Storage: unexpected deletion or high quantity deletion
  • DS0017 Command Execution: commands and arguments that can be involved, like SDelete
  • DS0022 File Deletion and File Modification: unexpected deletions to files or changes made to a large number of files for unexpected modification in user directories
  • DS0007 Image Deletion: unexpected virtual machine image deletion
  • DS0030 Process Creation: newly executed processes that could be part of data destruction activities, like SDelete
  • DS0020 Snapshot Deletion: unexpected snapshot deletion
  • DS0034 Volume Deletion: unexpected cloud volume deletion


Graylog: Enhanced Detection and Response

With Graylog Security, you can use prebuilt content to map security events to MITRE ATT&CK. By combining Sigma rules and MITRE ATT&CK, you can create high-fidelity alerting rules that enable robust threat detection, lightning-fast investigations, and streamlined threat hunting. For example, with Graylog’s security analytics, you can monitor user activity for anomalous behavior indicating a potential security incident. By mapping this activity to the MITRE ATT&CK Framework, you can detect and investigate adversary attempts at using Valid Accounts to gain Initial Access, mitigating risk by isolating compromised accounts earlier in the attack path and reducing impact.


Graylog’s risk scoring capabilities enable you to streamline your TDIR by aggregating and correlating the severity of the log message and event definitions with the associated asset, reducing alert fatigue and allowing security teams to focus on high-value, high-risk issues.


Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.