Kaspersky Analyzes 'Synapse,' a New Wiper Malware Masquerading as Ransomware

'Synapse' Wiper Malware Disguised as Ransomware, Designed for Maximum Destruction

CRITICAL
July 1, 2026
6m read
MalwareThreat ActorThreat Intelligence

Related Entities

Threat Actors

Organizations

Kaspersky

Other

Synapse

Full Report

Executive Summary

Researchers from Kaspersky's Global Research and Analysis Team (GReAT) have published a report on a new destructive malware named Synapse. This malware employs a deceptive strategy, masquerading as ransomware while its true function is to act as a wiper, causing irreversible damage to infected systems. Synapse drops a fake ransom note to trick victims and delay proper incident response, but its core function is to destroy the Master Boot Record (MBR) and corrupt files beyond recovery. The investigation noted code similarities between Synapse and malware historically linked to the Sandworm APT group, suggesting a potentially state-sponsored origin.


Threat Overview

Synapse represents a dangerous evolution in destructive attacks, blending the psychological tactics of ransomware with the purely destructive intent of a wiper.

  • Deception Tactic: The malware's most notable feature is its masquerade. It encrypts a small number of insignificant files and drops a ransom note. This is designed to make the victim believe they are dealing with a typical financially motivated ransomware attack. This misdirection can cause victims to waste valuable time attempting to negotiate or procure cryptocurrency, while the real damage is being done.
  • Destructive Payload: The true purpose of Synapse is data destruction. Its primary payload targets critical system components:
    • Master Boot Record (MBR): It overwrites the MBR, which is essential for the operating system to boot. This renders the system unbootable.
    • File System Corruption: It systematically overwrites the headers of files with junk data, making file recovery from the disk practically impossible.
  • Initial Access: In the incident analyzed by Kaspersky, the initial vector was a compromised third-party software update, indicating a potential supply chain attack.

Technical Analysis

The dual-nature of Synapse is its key technical feature. The 'ransomware' component is a lightweight decoy, while the wiper component is the true payload. This separation of concerns suggests a deliberate and thoughtful design.

The fake ransom note and superficial encryption are carefully crafted to be convincing. However, Kaspersky's analysis confirmed that the 'encryption key' in the note is a decoy, and there is no corresponding decryption logic or C2 infrastructure for payment.

The code overlaps with the Sandworm toolkit are significant. Sandworm, a group attributed to Russia's GRU, is notorious for destructive attacks, including the NotPetya wiper outbreak in 2017, which also masqueraded as ransomware. While attribution is not definitive, the TTPs and code artifacts strongly point towards a sophisticated state actor with experience in destructive operations.

MITRE ATT&CK TTPs

Impact Assessment

The impact of a Synapse attack is total and irreversible data loss on the affected systems. Unlike ransomware, there is no option for recovery through payment.

  • Operational Disruption: The destruction of critical systems can cause a complete and prolonged shutdown of business operations.
  • High Recovery Costs: Recovery is only possible if the organization has robust, air-gapped, and immutable backups. All affected systems must be rebuilt from scratch.
  • Psychological Impact: The deception tactic adds a layer of psychological manipulation, causing confusion and potentially leading to poor decision-making during the initial stages of incident response.

Detection & Response

  • Detection:
    • Detecting wipers before they execute is challenging. Behavioral-based EDR solutions may be able to detect the low-level disk writing activity associated with MBR and file header manipulation. Use D3FEND's Process Analysis.
    • Monitor for any unauthorized software update processes or connections to unknown update servers.
    • If a 'ransom note' appears, incident responders should not automatically assume it's a standard ransomware case. The possibility of a wiper must be considered, and analysis of the malware should be prioritized.
  • Response:
    • Immediate Isolation: If a wiper is suspected, the immediate priority is to isolate affected and potentially affected systems to prevent its spread. This may involve taking entire network segments offline.
    • Do Not Trust the Note: Treat any ransom note with skepticism until malware analysis can confirm whether it is a true ransomware or a wiper.
    • Activate Disaster Recovery: If data is confirmed to be destroyed, the focus shifts from incident response to disaster recovery, relying on backups to restore operations.

Mitigation

  • Immutable Backups: This is the single most critical defense against wipers. Maintain multiple copies of critical data, with at least one copy being offline, air-gapped, and/or immutable. Regularly test the restoration process.
  • Application Control: Use application allow-listing to prevent unauthorized software (like a trojanized update) from executing.
  • Supply Chain Security: Scrutinize the security practices of all third-party software vendors. Verify the integrity and authenticity of all software updates before deployment.
  • Network Segmentation: Segment networks to contain the spread of a destructive payload. Critical systems should be isolated to limit the blast radius of an attack.

Timeline of Events

1
July 1, 2026
This article was published

MITRE ATT&CK Mitigations

The most critical mitigation against wipers is having a robust and tested backup and recovery plan, including offline and immutable backups.

Using application control or allow-listing can prevent the execution of the trojanized software update that delivers the wiper.

Segmenting the network can help contain the spread of a wiper, limiting the blast radius of a destructive attack.

Protecting against MBR modification can be achieved through UEFI Secure Boot, which prevents unauthorized code from running before the OS loads.

D3FEND Defensive Countermeasures

The absolute primary defense against a destructive wiper like Synapse is a robust backup strategy. Organizations must follow the 3-2-1 rule (3 copies, 2 different media, 1 offsite). Crucially, at least one copy must be immutable or air-gapped. This means it cannot be altered or deleted by a compromised system or credential. Cloud-based immutable storage or physical tape backups are effective options. Restoration procedures must be tested regularly to ensure that a full recovery is possible in a disaster scenario. Against Synapse, backups are not just a mitigation; they are the only path to recovery.

To counter the MBR-wiping capability of Synapse, organizations should enforce UEFI Secure Boot on all modern endpoints. Secure Boot is a security standard that ensures a device boots using only software that is trusted by the OEM. It works by validating the digital signature of the bootloader before it is executed. This feature directly prevents malware like Synapse from overwriting the legitimate Master Boot Record or bootloader with its own malicious code, thus preserving the system's ability to boot and thwarting a key part of the destructive payload.

Since the initial vector for Synapse was a compromised software update, application control is a powerful preventative measure. By implementing an executable allow-listing policy, organizations can ensure that only known, trusted, and properly signed applications are allowed to run. A trojanized software update, unless the attackers also compromised the signing keys, would have a different signature or be unsigned, and would thus be blocked from executing. This stops the attack at the earliest possible stage, before the wiper has a chance to run.

Sources & References

Synapse: A Deep-Dive into the New Wiper Masquerading as Ransomware
Kaspersky Securelist (securelist.com) July 1, 2026
New 'Synapse' malware is a destructive wiper disguised as ransomware
Ars Technica (arstechnica.com) July 1, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

wipermalwaresandwormaptdata destructionkasperskydeception

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.