1. Home
  2. Techniques
  3. Enterprise
  4. Disk Wipe
  5. Disk Content Wipe

Disk Wipe: Disk Content Wipe

ID Name
T1561.001 Disk Content Wipe
T1561.002 Disk Structure Wipe

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.[1][2][3] Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.[2] Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content.[1][2] This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[2]

ID: T1561.001
Sub-technique of:  T1561
Tactic: Impact
Platforms: Linux, Network Devices, Windows, macOS
Impact Type: Availability
Version: 1.2
Created: 20 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1167 AcidPour

AcidPour includes functionality to overwrite victim devices with the content of a buffer to wipe disk content.[4]
S1125 AcidRain

AcidRain iterates over device file identifiers on the target, opens the device file, and either overwrites the file or calls various IOCTLS commands to erase it.[5]
S1133 Apostle

Apostle searches for files on available drives based on a list of extensions hard-coded into the sample for follow-on wipe activity.[6]
C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 used the native Microsoft utility cipher.exe to securely wipe files and folders – overwriting the deleted data using cmd.exe /c cipher /W:C.[7]

S1068 BlackCat

BlackCat has the ability to wipe VM snapshots on compromised networks.[8][9]
S1205 cipher.exe

cipher.exe can be used to overwrite deleted data in specified folders.[7]
S1111 DarkGate

DarkGate has deleted all files in the Mozilla directory using the following command: /c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox*.[10]

S1134 DEADWOOD

DEADWOOD deletes files following overwriting them with random data.[6]
G0047 Gamaredon Group

Gamaredon Group has used tools to delete files and folders from victims' desktops and profiles.[11]
S0697 HermeticWiper

HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.[12][13]
G0032 Lazarus Group

Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.[2]
S0576 MegaCortex

MegaCortex can wipe deleted data from all drives using cipher.exe.[14]
S0364 RawDisk

RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.[2]
S0380 StoneDrill

StoneDrill can wipe the accessible physical or logical drives of the infected machine.[15]

S1010 VPNFilter

VPNFilter has the capability to wipe a portion of an infected device's firmware.[16]
S0689 WhisperGate

WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.[17][18][19]

Mitigations

ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[20] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite AN0882

Processes attempting raw disk access via \.\PhysicalDrive paths, abnormal file I/O to MBR/boot sectors, or loading of third-party drivers (e.g., RawDisk) that enable disk overwrite. Correlate process creation, privilege usage, and disk modification events within a short time window.
AN0883

Execution of destructive utilities (dd, shred, wipe) targeting block devices, or processes invoking syscalls to directly overwrite /dev/sd or /dev/nvme partitions. Correlate abnormal file write attempts with shell process execution and block device access.
AN0884

Abnormal invocation of diskutil or asr with destructive flags (eraseDisk, zeroDisk), or low-level IOKit calls that overwrite raw disk content. Detect correlation between elevated process execution and disk erase operations.
AN0885

Execution of CLI commands erasing file systems or storage (erase flash:, format disk, erase nvram:). Detect authentication events followed by destructive commands within the same privileged session.

References

  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
  3. Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
  4. Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024.
  5. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
  6. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  7. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  8. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  9. Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.
  10. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
  1. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  2. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  3. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  4. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  5. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  6. Tung, Liam. (2018, May 29). FBI to all router users: Reboot now to neuter Russia's VPNFilter malware. Retrieved March 7, 2024.
  7. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.
  8. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  9. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  10. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.