Ransomware may dominate the headlines and remain the go-to worry for IT teams in industrial environments, but a quieter and potentially more destructive threat is emerging: “wiper” malware.
Unlike ransomware, which typically seeks payment, wipers are designed to permanently destroy data and systems, leaving no path to recovery and no leverage for negotiation.
In the first half of 2025, wiper malware has emerged as a clear escalation in threats to industrial systems. In late June, our sources identified three new Iranian-linked wiper malware families (BlueWipe, SewerGoo, and BeepFreeze) targeting critical infrastructure and government networks in Israel and Albania.
BlueWipe and SewerGoo were deployed against Israeli targets with the apparent objective of wiping or disabling storage devices, posing a near-term risk to organizations in Israel and allied nations that depend on highly available computing systems.
BeepFreeze was used in attacks on Albanian networks with similar destructive intent. Also in June, PathWiper was deployed across Ukrainian critical infrastructure via legitimate admin tools, erasing drives and forcing full system rebuilds. Around the same time, ransomware‑as‑a‑service group Anubis introduced a “wipe mode” that destroys directories outright, thereby transforming extortionware into sabotage.
CyberAv3ngers, an Iran-linked sabotage group, has also manipulated industrial controllers in water, wastewater, and oil‑and‑gas systems globally, while allegedly preparing wiper‑style attacks on critical industrial assets. For manufacturers, especially those relying on older operational technology (OT) systems, the threat is serious. Wipers can cripple production, corrupt firmware, wipe Windows machines, and leave entire factories inoperable.
What is Wiper Malware?
Wiper malware is a class of malicious code that permanently deletes or corrupts data. It often targets the master boot record (MBR), file tables, or entire storage volumes, which renders systems unbootable and data unrecoverable. There is rarely an extortion demand with a wiper attack, as the sole purpose is to cause destruction.
As geopolitical tensions rise, wipers have become go-to weapons for state-backed attackers. They are also finding their way into the toolkits of cybercriminals seeking to cause chaos, punish victims, apply pressure, or erase evidence. In industrial environments where uptime, safety, and system integrity are non-negotiable, the consequences can be catastrophic.
The earliest high-profile wiper attack was the 2012 Shamoon incident, widely attributed to Iran, which struck Saudi Aramco and erased more than 30,000 computers. Five years later, the Russian military deployed NotPetya – a wiper disguised as ransomware – against Ukrainian targets. The malware quickly escaped its intended scope, disrupting global manufacturing, shipping, and logistics, and causing an estimated $10 billion in damages worldwide.
Since then, the threat has expanded. WhisperGate and HermeticWiper, deployed by Russian-linked actors in 2022, disabled systems at Ukrainian government agencies and banks. AcidRain bricked thousands of modems across Europe to disrupt Ukrainian communications.
In 2021, Meteor hit Iran’s railway system, an unusual case of Iran, usually a wiper user, becoming a victim. In 2023, No-Justice targeted pro-democracy networks across Asia. In June 2024, security firms uncovered a CaddyWiper variant aimed at logistics firms in Eastern Europe, marking a shift from military to industrial targets.
Although wipers originated as cyber weapons used by nation-states, they are now part of the cybercriminal playbook. Ransomware groups such as SuperBlack, LockBit, and BrainCipher have begun integrating wipe functions to permanently destroy data when victims refuse to pay, or to erase forensic evidence and cover their tracks after gaining access.
A recent alert from the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warned that “wiper malware showed an increasing and evolving trend in ransomware operations in 2025.” Numerous security and IT management firms have issued similar warnings, including IBM’s X-Force.
Wiper Malware in Manufacturing: How It’s Used and What It Destroys
Wiper malware is uniquely dangerous in industrial environments, capable of inflicting irreparable damage in minutes. Unlike ransomware, which may leave systems intact during negotiations, wipers are designed for total loss.
In manufacturing contexts, they can:
-
Wipe Windows-based HMIs and engineering workstations.
-
Disable or corrupt PLCs (programmable logic controllers).
-
Render SCADA systems inoperable, blinding operators.
-
Destroy production data and logs, delaying restarts.
-
Create safety risks if automation failsafes are affected.
Wiper malware is deployed with a range of strategic objectives. State-backed actors may use it for pure sabotage, aiming to disrupt production or retaliate for geopolitical actions. In some cases, wipers are disguised as ransomware to serve as false flags, in order to confuse attribution efforts and complicate the response.
Advanced persistent threat (APT) groups may also use wipers as a form of post-access cleanup, erasing forensic traces after data theft or espionage. Ransomware operators are also increasingly turning to wipers in double extortion scenarios, unleashing them as punishment when victims refuse to pay.
In all cases, the goal is destruction of systems, data, and operational trust.
How to Defend Against Wiper Malware
There is no silver bullet for stopping a wiper, but manufacturers can significantly reduce their risk by taking several critical steps:
-
Network Segmentation: Separate OT from IT networks. Use firewalls and access controls to restrict lateral movement.
-
Read-Only, Offsite Backups: Store backups offline or on immutable systems. Test restoration regularly, and isolate backup credentials.
-
Endpoint Detection and Response (EDR): While EDR can flag wiper behaviors like mass file deletions or MBR tampering, attackers increasingly bypass or disable these tools, so EDR should be part of a layered defense, not the sole line of protection.
-
Log Retention and Monitoring: Maintain secure, centralized logs from both OT and IT systems. Ensure they’re write-protected and tamper-resistant.
-
Incident Response Planning: Have a clear playbook for destructive attacks: isolate infected systems, trigger backup recovery, notify stakeholders, and involve law enforcement or insurers.
-
Harden OT Assets: Enforce least privilege, disable unused services, secure engineering workstations, and update firmware where possible.
-
Scrutinize Vendor Access: Limit and monitor third-party connections, as attackers increasingly compromise suppliers to deliberately deliver wiper malware to downstream targets.
-
Threat Intelligence Monitoring: Track known indicators of wiper campaigns and stay informed about adversary TTPs. Prioritize controls based on evolving geopolitical risk.
Wiper malware is the next frontier of cyber disruption and the risks for manufacturers are existential. Whether deployed by a state-backed actor or a criminal group, wipers are designed not to steal data, but to destroy operations.
Industrial operators must treat these threats as core risks, not rare exceptions. The consequences aren’t just financial. They’re operational, reputational, and potentially physical.