Disk-Wiping 'Shamoon' Malware Resurfaces With File-Erasing Malware in Tow

Organizations in the United Arab Emirates and Saudi Arabia are once again being targeted in a new wave of attacks involving Shamoon, a malware strain that was used to destroy more than 30,000 PCs at oil giant Saudi Aramco in 2012.

The latest attacks come after a two-year lull and are doubly destructive since they include a new component, Filerase, for erasing files on an infected system before Shamoon wipes the master boot record clean, Symantec states in a report. The addition of Filerase makes it almost impossible for victims to recover data from impacted systems, the security vendor notes.

Based on a breach disclosure from Italian oil services firm Saipam, the new Shamoon attacks appear to have begun Dec. 10. Saipam, a leading provider of drilling services, described the attack as impacting up to 100 PCs and between 300 and 400 servers located in the Middle East, India, Scotland, and Italy. "The attack led to the cancellation of data and infrastructures, typical effects of malware," according to Saipem. "The restoration activities, in a gradual and controlled manner, are under way through the back-up infrastructures and, when completed, will re-establish the full operation of the impacted sites." Reuters quoted a Saipem executive as saying the attacks had originated in the south Indian city of Chennai, though Symantec itself says it has no evidence to corroborate.