DYNOWIPER: Destructive Malware Targeting Poland’s Energy Sector

Summary

In late December 2025, a coordinated destructive campaign struck Poland’s energy infrastructure, compromising at scale more than thirty renewable sites and a large combined heat and power plant. The attackers deployed a custom wiper called DYNOWIPER that enumerates drives, corrupts files with random data, and forces a system reboot to intensify disruption. The intrusion leveraged compromised FortiGate VPN devices and reused credentials for access. Elastic Defend detected the wiper through canary file monitoring and blocked execution.

Investigation

Elastic Security Labs obtained a DYNOWIPER sample from public sources and performed static analysis. The specimen is a 32-bit Windows PE built with Visual C++ that relies on standard Windows APIs such as GetLogicalDrives, SetFileAttributesW, OpenProcessToken, and ExitWindowsEx. The malware avoids critical system directories, alters file attributes, and overwrites file headers with pseudorandom data generated by a Mersenne Twister PRNG. No persistence, C2, or anti-analysis features were observed.

Mitigation

Deploy behavioral ransomware protection that monitors canary files and large-scale file attribute changes. Enable multi-factor authentication on VPN and remote access services, harden FortiGate configurations, and remove default credentials. Maintain regular offline backups and verify backup integrity to ensure recovery.

Response

Upon detection, immediately isolate the affected host, terminate the wiper process, and revert modified files from trusted backups. Conduct a forensic sweep for additional compromised accounts and devices, especially FortiGate VPN appliances. Apply MFA, patch known vulnerabilities, and review scheduled tasks for unauthorized entries. Monitor for the specific API calls and file-corruption patterns described in the analysis.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:
  The red team operator first copies a trusted system binary (cmd.exe) to a new executable named GetLogicalDrives.exe to satisfy selection1. Executing this renamed binary enumerates all mounted logical drives. Immediately afterwards, the operator invokes SetFileAttributesW.exe (a minimal wrapper around the Windows API) on a set of randomly‑named files across each drive, forcing the attribute FILE_ATTRIBUTE_NORMAL. Finally, the operator creates/overwrites a large number of dummy files (≈200 files per drive) to generate EventID 4663 with AccessMask: WriteData. This sequence mirrors DYNOWIPER’s destructive phase and produces the exact combination of process and file‑access events required by the Sigma rule.

• Regression Test Script:

  # -------------------------------------------------
  # DYNOWIPER Destructive Behavior Simulation Script
  # -------------------------------------------------
  # Prerequisite: Run with Administrator privileges
  
  # 1. Prepare the fake binaries
  $src = "$env:windirSystem32cmd.exe"
  $driveEnumPath = "$env:TEMPGetLogicalDrives.exe"
  $setAttrPath   = "$env:TEMPSetFileAttributesW.exe"
  
  Copy-Item -Path $src -Destination $driveEnumPath -Force
  Copy-Item -Path $src -Destination $setAttrPath   -Force
  
  # 2. Enumerate logical drives (selection1)
  Write-Host "`n[+] Enumerating logical drives..."
  & $driveEnumPath /c "wmic logicaldisk get name"
  
  # 3. Create a test folder on each drive and set normal attributes (selection2)
  Write-Host "`n[+] Setting file attributes to NORMAL..."
  $drives = Get-PSDrive -PSProvider FileSystem | Where-Object {$_.Root -match '^[A-Z]:\$'}
  foreach ($d in $drives) {
      $testDir = Join-Path $d.Root "DynowiperTest"
      New-Item -Path $testDir -ItemType Directory -Force | Out-Null
  
      # Create a dummy file
      $dummyFile = Join-Path $testDir "dummy.txt"
      Set-Content -Path $dummyFile -Value ("A"*1024) -Force
  
      # Invoke SetFileAttributesW (simulated via PowerShell Set-ItemProperty)
      $null = (Get-Item $dummyFile).Attributes = 'Normal'
  }
  
  # 4. Mass file write to trigger EventID 4663 with WriteData (selection3)
  Write-Host "`n[+] Writing mass files to generate WriteData events..."
  foreach ($d in $drives) {
      $testDir = Join-Path $d.Root "DynowiperTest"
      1..200 | ForEach-Object {
          $file = Join-Path $testDir ("file_{0}.txt" -f $_)
          Set-Content -Path $file -Value ("B"*2048) -Force
      }
  }
  
  Write-Host "`n[+] Simulation complete. Review SIEM for alert."

• Cleanup Commands:

  # -------------------------------------------------
  # Cleanup for DYNOWIPER Simulation
  # -------------------------------------------------
  $driveEnumPath = "$env:TEMPGetLogicalDrives.exe"
  $setAttrPath   = "$env:TEMPSetFileAttributesW.exe"
  
  # Remove the fake binaries
  Remove-Item -Path $driveEnumPath -Force -ErrorAction SilentlyContinue
  Remove-Item -Path $setAttrPath   -Force -ErrorAction SilentlyContinue
  
  # Delete test folders and files from each drive
  $drives = Get-PSDrive -PSProvider FileSystem | Where-Object {$_.Root -match '^[A-Z]:\$'}
  foreach ($d in $drives) {
      $testDir = Join-Path $d.Root "DynowiperTest"
      Remove-Item -Path $testDir -Recurse -Force -ErrorAction SilentlyContinue
  }
  
  Write-Host "`n[+] Cleanup completed."