Lotus the wiper that erases low-level disks and threatens critical infrastructure in Venezuela

Recently, the finding of a malicious software of mass data erasing that had not been publicly documented so far and which, according to researchers, was used in targeted attacks against energy and service organizations in Venezuela was reported. The technical analysis, published by Kaspersky, shows a multi-phase operation designed to leave machines and servers in an irreparable state: first, defense mechanisms are deactivated and recovery options are sabotaged, and then the final phase, in which the code destroys disks at a low level.

The technical details explained by analysts reveal a chain of tools and scripts that act as ground preparation. From a first batch script, Windows services are neutralized and checks are carried out to coordinate the execution on equipment linked to a domain. A second script expands the actions: lists local accounts, forces password changes to disable them, closes active sessions, cuts network interfaces and cancels stored login, making both human response and remote recovery difficult.

In addition to these administrative actions, the attackers resort to legitimate system utilities - tools that are usually used by administrators - to delete and overwrite content: diskpart is invoked to run "clean all" and fill the sectors with zeros, robocopy is used to overwrite files and fsubtle is used to create files that occupy the free disk space, which further complicates any attempt to restore data. Kaspersky describes how, after these initial maneuvers, the script disfigures and launches the final executable of the draft, baptized by researchers like Lotus. You can read the technical report in the publication of the laboratory itself: Kaspersky Securelist about Lotus.

What distinguishes Lotus is that it is not limited to deleting files at the file system level: it operates at a deeper level by means of IOCTL calls to the physical disk, gets disk geometry, cleans USN newspaper entries and eliminates restoration points. The erasing component overwrites complete physical sectors - not just logical volumes - and repeats removal and removal cycles of restoration points until the device is left in a state where the usual recovery techniques are ineffective. In parallel, the wiper raises its privileges to ensure full administrative access and applies techniques such as randomly renaming files and overwriting its content with zeros before deleting them or scheduling their removal in the boot if they are blocked.

The operating pattern described by the experts draws a targeted and calculated campaign: the Lotus binary was uploaded to a public platform in mid-December from a machine located in Venezuela, and its behavior fits with tactics used in previous destructive attacks, in which the intention is not economic rescue but the irreversible elimination of data and the prolonged interruption of critical services.

Kaspersky also points to the context: the appearance of malware coincides with a moment of high geopolitical tension in the region and with media reports of incidents that affected energy infrastructure on close dates. However, the researchers stress that there is no public evidence to directly attribute all these incidents to the use of this specific wiper or to confirm that specific organizations suffered total erased by Lotus.

From the point of view of detection and response, the indicators emerging from the report should serve as a priority for safety managers and equipment: unusual changes in the NETLOGON sharing, handling of services such as UI0Detect, massive modifications of user accounts, disconnection or deactivation of network interfaces and the unexpected and massive use of tools such as diskpart, robocopy or fsubtle often precede the detonation of the destructive load. Monitoring telemetry in these areas and correlating it with other engagement signals may allow to stop the campaign before the low-level deletion is carried out.

In practical terms, the basic recommendations do not differ from good practices against destructive programs: to keep offline and air@-@ gapped backup, to regularly check that these copies are restable, to restrict the use of accounts with privileges and to audit changes in them, to apply minimum privilege principles in productive environments and to deploy advanced detection that identifies abuse of legitimate system profits. For operational guides and defence resources to deal with such threats, security agencies and response centres have published open recommendations that need to be reviewed, such as those compiled by the United States Infrastructure and Cybersecurity Agency ( CISA - StopRansomware).

The Lotus case recalls that destructive threats remain an effective tool in cyberconflicts and that defence requires a combination of technical prevention, good administrative practices and operational preparation. Critical infrastructure teams should prioritize visibility over changes in the environment and the safe conservation of data copies, because once a wiper that acts on a physical level starts to operate, recovery options are drastically reduced.

If you want to deepen the technical analysis and the commitment indicators that Kaspersky published, you can consult the original report on your blog: Kaspersky - Lotus wiper. For general Ransomware and Wipers preparedness and response measures, CISA resources are a good starting point: https: / / www.cisa.gov / stopransomware.