Disk Content Wipe

Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.[1][2][3] Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.[2] Adversaries have been observed leveraging third-party drivers like RawDisk to directly access disk content.[1][2] This behavior is distinct from Data Destruction because sections of the disk erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, Credential Dumping, and Windows Admin Shares.[2]

ID: T1488

Tactic: Impact

Platform:  Linux, macOS, Windows

Permissions Required:  User, Administrator, root, SYSTEM

Data Sources:  Kernel drivers, Process monitoring, Process command-line parameters

Impact Type:  Availability

Version: 1.0

Examples

NameDescription
Lazarus Group

Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.[2]

RawDisk

RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.[2]

Mitigation

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[4] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Identify potentially malicious software and audit and/or block it by using whitelisting[5] tools, like AppLocker,[6][7] or Software Restriction Policies[8] where appropriate.[9]

Detection

Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for unusual kernel driver installation activity.

References