The Middle East is a prime hunting ground for cyberthreat actors. In 2024, the United Arab Emirates (UAE) was the second most targeted nation in the Middle East & North Africa (MENA) region, accounting for almost one in every eight (12%) incidents, at an average cost of US$2.9 million. The UAE’s Gulf neighbours are also popular targets. In the second half of 2025, Saudi Arabia was the MEA region’s fifth most frequently targeted country, and during the same period, Qatar’s telecoms infrastructure was attacked more than 1,500 times.
It is the motives behind these attacks that cause the varying concern levels among cybersecurity professionals. If an adversary is motivated by money, security postures can be devised that centre on making breaches too difficult to be profitable. Additionally, in the worst ransomware scenario, if an organisation pays out, they can often recover. But what if the attacker’s sole purpose is chaos for chaos’ sake? In an era in which a significant portion of a business is digital, irreversible destruction will likely lead to a market exit.
Irreversible destruction is what a wiper attack is all about. Wipers are malware designed for a single purpose – to erase data and make recovery impossible. Part of the process is the corruption of storage media and the functional dismantling of infrastructure. Legacy malware is sneaky and looks for ways to increase dwell time and extort payment. Wipers have simpler goals. They seek to put an end to normal operations by deleting files and overwriting disk structures. They seek out virtual machines and destroy them. They eradicate configuration files and obliterate operating systems. In many cases recovery – and hence, business continuity – is made technically impossible.
Monetisation vs eradication
To communicate just how dangerous wiper attacks are, it is worth reinforcing the difference between them and other, more traditional attacks. Ransomware is an entire industry that includes initial access brokers (IABs), salespeople, and support staff. It is designed to incentivise payment by offering recovery as a product. Ransomware attackers are ruthless and unethical, but they understand the value of the transaction. If recovery is not delivered on payment, then once word gets around, subsequent victims will have no reason to pay up. That is why data is encrypted instead of destroyed. Even where double extortion (data is also exfiltrated and leaked to the world if payment is not made) applies, there is scope for response, bargaining, and remediation.
There is no response window for a wiper attack. The most successful ones make sure there is no means of recovery. Files are not merely deleted. Backups and system mirrors are eliminated. Wipers overwrite master boot records (MBRs), master file tables (MFT), and other files with gibberish, compromising forensic recovery. They may even target high-availability (HA) systems and Disaster-Recovery-as-a-Service (DRaaS). There is no bargaining, no ransom demand, and no recovery key because the adversary is operating outside a business model. They prioritise eradication over monetisation.
Wipers go for sabotage. When they strike, organisations can have just a few minutes before their networks are offline and critical systems become permanently inaccessible. But given all that wipers achieve, we can already see the means of our protection. None of the damage to primary and business-continuity systems is achievable without privileged access. So, with the right identity security, organisations can prevent wiper attacks. Our best defence is a strong security posture with identity-centric systems capable of detecting a wiper’s initial payload. Privilege escalation in a well-designed identity ecosystem will take days, or perhaps even weeks. The identification of key systems may take many more days. If the targeted enterprise can identify the anomalous activity, it can lock out compromised identities and prevent the deployment of the wiper.
Turned to dust
The aftermath of a wiper attack is not one of plan execution. There is no plan that can cover the digital wipeout associated with a wiper. With ransomware, there are things to do. After a wiper, businesses must rebuild from the ground up. No rubble, no basic systems remain. Business continuity simply does not apply. The machinery of enterprise has been demolished beyond repair.
Given today’s prevalence of geopolitical tensions, wiper attacks have become a clear and present danger. Nation-state actors and hacktivist groups could use them to further disrupt already fraught economies. Wipers are built for disruption at scale with the goal of bringing lasting harm rather than reversible damage. Therefore, a cybersecurity strategy that is built around recovery will be insufficient to thwart a wiper attack. Organisations must modernise their postures to combat all current risks. This means that while industry professionals have spent recent years arguing that prevention-first strategies were old-fashioned, we must now revisit that assumption to account for wipers.
The good news is that because of how wipers operate, many best practices still apply. We should implement the principle of least privilege; we should put in place robust identity governance; we should enact network segmentation. A comprehensive privileged access management (PAM) platform and persistent, air-gapped, off-site backups are also crucial. If destruction is the intent, then prevention must be the defence.
Discussion about this post