TerraWiper

Posted: August 11, 2020

TerraWiper Description

Cybercriminals often use tools that are meant to cause pure destruction and wreak havoc – these cases are rare. Still, we have seen plenty of examples where a cybercriminal was only interested in damaging the infected system as much as possible. Usually, the best way to cause such damage is to delete essential data that may render the system unusable. However, some cybercriminals go a step further and run a wiper malware that has been designed to prevent the infected system from being able to boot its operating system. This is exactly the case with the TerraWiper, a threatening piece of malware that shares some similarities with the PureLocker Ransomware (also known as TerraCrypt).

TerraWiper Tries to Prevent Infected PCs from Booting

However, while the PureLocker Ransomware is dedicated to encrypting the files of its victims, and then trying to sell them a decryption tool, the goal of the TerraWiper is much more sinister. This threat tries to tamper with the physical drive's Master Boot Record (MBR) – other ransomware families known to operate in the same way are the infamous Petya Ransomware and the MBRLock Ransomware. Often, the MBR is overwritten with a ransom message crafted by malware's creators, but the TerraWiper does no such thing – instead, it overwrites the MBR using nothing but zeroes. Effectively, this wipes out the MBR completely and prevents the system from booting up until the MBR is fixed.

It is crucial to add that the TerraWiper does not attempt to encrypt separate files or folders, and the MBR is its only target. Another notable thing about this implant is that it makes use of a well-known Windows exploit to bypass User Account Control (UAC) – this way, it can gain escalated permissions automatically. Once the MBR has been overwritten, TerraWiper will restart the machine, and the user will notice the MBR issue immediately.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to TerraWiper may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.