Description
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)
Platforms
Mitigations (1)
Data BackupM1053
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized a disk wiping utility to facilitate destructive actions on victim servers.(Citati... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of stat... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used tools to delete files and folders from victims' desktops and profiles.(Citation: CER... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S1205 | cipher.exe | Tool | [cipher.exe](https://attack.mitre.org/software/S1205) can be used to overwrite deleted data in specified folders.(Citation: Nearest Neighbor Volexity) |
| S1134 | DEADWOOD | Malware | [DEADWOOD](https://attack.mitre.org/software/S1134) deletes files following overwriting them with random data.(Citation: SentinelOne Agrius 2021) |
| S1125 | AcidRain | Malware | [AcidRain](https://attack.mitre.org/software/S1125) iterates over device file identifiers on the target, opens the device file, and either overwrites ... |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) can overwrite sectors of a victim host's hard drive at periodic offsets.(Citation: Crowdstrike ... |
| S0364 | RawDisk | Tool | [RawDisk](https://attack.mitre.org/software/S0364) has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk... |
| S0576 | MegaCortex | Malware | [MegaCortex](https://attack.mitre.org/software/S0576) can wipe deleted data from all drives using <code>[cipher.exe](https://attack.mitre.org/software... |
| S1167 | AcidPour | Malware | [AcidPour](https://attack.mitre.org/software/S1167) includes functionality to overwrite victim devices with the content of a buffer to wipe disk conte... |
| S1133 | Apostle | Malware | [Apostle](https://attack.mitre.org/software/S1133) searches for files on available drives based on a list of extensions hard-coded into the sample for... |
| S1010 | VPNFilter | Malware | [VPNFilter](https://attack.mitre.org/software/S1010) has the capability to wipe a portion of an infected device's firmware.(Citation: VPNFilter Router... |
| S0380 | StoneDrill | Malware | [StoneDrill](https://attack.mitre.org/software/S0380) can wipe the accessible physical or logical drives of the infected machine.(Citation: Symantec E... |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to corrupt disk partitions and obtain raw disk access to destroy data.(Citati... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) has the ability to wipe VM snapshots on compromised networks.(Citation: Microsoft BlackCat Jun 202... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) has deleted all files in the Mozilla directory using the following command: `/c del /q /f /s C:\Us... |
References
- Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.
Frequently Asked Questions
What is T1561.001 (Disk Content Wipe)?
T1561.001 is a MITRE ATT&CK technique named 'Disk Content Wipe'. It belongs to the Impact tactic(s). Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. Adversaries may partially or comp...
How can T1561.001 be detected?
Detection of T1561.001 (Disk Content Wipe) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1561.001?
There are 1 documented mitigations for T1561.001. Key mitigations include: Data Backup.
Which threat groups use T1561.001?
Known threat groups using T1561.001 include: VOID MANTICORE, Lazarus Group, Gamaredon Group.