TerraWiper

Cybercriminals often use tools that are meant to cause pure destruction and wreak havoc – these cases are rare. Still, we have seen plenty of examples where a cybercriminal was only interested in damaging the infected system as much as possible. Usually, the best way to cause such damage is to delete essential data that may render the system unusable. However, some cybercriminals go a step further and run a wiper malware that has been designed to prevent the infected system from being able to boot its operating system. This is exactly the case with the TerraWiper, a threatening piece of malware that shares some similarities with the PureLocker Ransomware (also known as TerraCrypt).

TerraWiper Tries to Prevent Infected PCs from Booting

However, while the PureLocker Ransomware is dedicated to encrypting the files of its victims, and then trying to sell them a decryption tool, the goal of the TerraWiper is much more sinister. This threat tries to tamper with the physical drive's Master Boot Record (MBR) – other ransomware families known to operate in the same way are the infamous Petya Ransomware and the MBRLock Ransomware. Often, the MBR is overwritten with a ransom message crafted by malware's creators, but the TerraWiper does no such thing – instead, it overwrites the MBR using nothing but zeroes. Effectively, this wipes out the MBR completely and prevents the system from booting up until the MBR is fixed.

It is crucial to add that the TerraWiper does not attempt to encrypt separate files or folders, and the MBR is its only target. Another notable thing about this implant is that it makes use of a well-known Windows exploit to bypass User Account Control (UAC) – this way, it can gain escalated permissions automatically. Once the MBR has been overwritten, TerraWiper will restart the machine, and the user will notice the MBR issue immediately.