It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

The flag of Iran.

Researchers say they’ve uncovered never-before-seen disk-wiping malware that’s disguising itself as ransomware as it unleashes destructive attacks on Israeli targets.

Apostle, as researchers at security firm SentinelOne are calling the malware, was initially deployed in an attempt to wipe data but failed to do so, likely because of a logic flaw in its code. The internal name its developers gave it was “wiper-action.” In a later version, the bug was fixed and the malware gained full-fledged ransomware behaviors, including the leaving of notes demanding victims pay a ransom in exchange for a decryption key.

A clear line

In a post published Tuesday, SentinelOne researchers said they assessed with high confidence that, based on the code and the servers Apostle reported to, the malware was being used by a never-before-seen group with ties to the Iranian government. While a ransomware note they recovered suggested that Apostle had been used against a critical facility in the United Arab Emirates, the primary target was Israel.

“The usage of ransomware as a disruptive tool is usually hard to prove, as it is difficult to determine a threat actor’s intentions,” Tuesday’s report stated. “Analysis of the Apostle malware provides a rare insight into those kinds of attacks, drawing a clear line between what began as a wiper malware to a fully operational ransomware.”

The researchers have dubbed the newly discovered hacking group Agrius. SentinelOne saw the group first using Apostle as a disk wiper, although a flaw in the malware prevented it from doing so, most likely because of a logic error in its code. Agrius then fell back on Deadwood, a wiper that had already been used against a target in Saudi Arabia in 2019.

When Agrius released a new version of Apostle, it was full-fledged ransomware.

“We believe the implementation of the encryption functionality is there to mask its actual intention—destroying victim data,” Tuesday’s post stated. “This thesis is supported by an early version of Apostle that the attackers internally named…