Opinion
Wiper malware doesn't want your money, it wants to erase you
Wiper malware is built to destroy. Unlike ransomware, which offers the promise of recovery upon payment, wipers are designed to make recovery nearly impossible.
At the end of 2024 and into 2025, there has been a disturbing surge in cyber activity from state aligned hacking groups. Fancy Bear, Gamaredon, Sandworm - and newer names like Volt and Salt Typhoon - are state-backed Advanced Persistent Threat (APT) groups that have intensified their targeting of Western nations. Their tactics: exploiting zero-day vulnerabilities, breaching critical systems, and deploying wiper malware designed not to extort, but to obliterate.
These attacks are real and their damage is immeasurable. The NotPetya attack, for example, disrupted governments, crippled power grids and transportation systems, and wreaked havoc across global supply chains. FedEx reported over $400 million in losses. Pharmaceutical giant Merck lost more than $670 million. These were not ransom demands. These were scorched-earth campaigns.
What Makes Wiper Attacks So Dangerous?
Wiper malware is built to destroy. Unlike ransomware, which offers the promise of recovery upon payment, wipers are designed to make recovery nearly impossible. They permanently delete data and corrupt systems until they are beyond repair. What’s more, open-source versions of these tools are increasingly circulating online—on platforms like GitHub—making them available to attackers with minimal technical expertise. And in today’s world of rising geopolitical tension, the likelihood of these tools being used grows by the day.
Is Israel Ready?
Are Israel’s digital defenses - across infrastructure providers, healthcare systems and transportation networks - prepared for an attack that doesn’t lock data but vaporizes it?
Are private sector organizations, even those that don’t see themselves as obvious cyber targets, equipped to survive an event where not just access is denied, but entire systems vanish?
As with other countries, the unfortunate reality is that in most cases, they are not.
What Organizations and the State Can Do to Prepare
There’s no silver bullet, but there are several urgent, concrete steps every organization should be taking now:
- Deploy air-gapped, secure backups: Backups must be isolated from primary networks - either through physical separation or strict network segmentation—so that even if an attacker penetrates the system, they cannot reach the backups.
- Enforce immutability: Even if an attacker gains admin privileges - or an internal admin attempts to alter data - immutable backups cannot be erased, decrypted or tampered with. This is essential for data integrity under fire.
- Map and prioritize critical systems: Identify the systems whose failure would disrupt operations, compromise data, or paralyze recovery efforts. Also identify the secondary systems - servers, routers, firewall - that must remain operational to support recovery.
- Ensure collaboration between IT and security teams: All too often, security teams are unaware of how backup and recovery are actually managed. In a crisis, this disconnect can derail recovery. A growing trend in the private sector is to place backup and recovery under the purview of the CISO - a model Israeli organizations might benefit from adopting.
- Run real-world simulations (Red Team exercises): Prepare for destructive attacks, not just data breaches. Test how your organization responds when everything goes offline. These simulations reveal vulnerabilities in procedures, architecture and readiness - and they build resilience.
The Bottom Line
2025 is shaping up to be the year of wipers. Not every organization is a direct target - but we are all downstream from infrastructure, service providers, and national systems that are. If they go down, we all feel it.
The question isn’t whether a wiper attack might happen - it’s whether we’ll be ready when it does.
Eyal Ron is Israel Site Lead and Head of Engineering at Rubrik Israel.
