Researchers from Kaspersky's Global Research and Analysis Team (GReAT) have published a report on a new destructive malware named Synapse. This malware employs a deceptive strategy, masquerading as ransomware while its true function is to act as a wiper, causing irreversible damage to infected systems. Synapse drops a fake ransom note to trick victims and delay proper incident response, but its core function is to destroy the Master Boot Record (MBR) and corrupt files beyond recovery. The investigation noted code similarities between Synapse and malware historically linked to the Sandworm APT group, suggesting a potentially state-sponsored origin.
Synapse represents a dangerous evolution in destructive attacks, blending the psychological tactics of ransomware with the purely destructive intent of a wiper.
The dual-nature of Synapse is its key technical feature. The 'ransomware' component is a lightweight decoy, while the wiper component is the true payload. This separation of concerns suggests a deliberate and thoughtful design.
The fake ransom note and superficial encryption are carefully crafted to be convincing. However, Kaspersky's analysis confirmed that the 'encryption key' in the note is a decoy, and there is no corresponding decryption logic or C2 infrastructure for payment.
The code overlaps with the Sandworm toolkit are significant. Sandworm, a group attributed to Russia's GRU, is notorious for destructive attacks, including the NotPetya wiper outbreak in 2017, which also masqueraded as ransomware. While attribution is not definitive, the TTPs and code artifacts strongly point towards a sophisticated state actor with experience in destructive operations.
T1195.002 - Compromise Software Supply Chain - The reported vector was a compromised software update.T1204.002 - Malicious File - Execution of the trojanized software update.T1562.001 - Inhibit System Recovery - The wiper functionality is a form of inhibiting system recovery.T1027 - Obfuscated Files or Information - The malware likely uses obfuscation to hide its true intent.T1561.001 - Disk Content Wipe - Overwriting file headers with junk data.T1561.002 - Disk Structure Wipe - Destroying the Master Boot Record (MBR).T1485 - Data Destruction - The ultimate goal of the malware.The impact of a Synapse attack is total and irreversible data loss on the affected systems. Unlike ransomware, there is no option for recovery through payment.
Process Analysis.The most critical mitigation against wipers is having a robust and tested backup and recovery plan, including offline and immutable backups.
Using application control or allow-listing can prevent the execution of the trojanized software update that delivers the wiper.
Segmenting the network can help contain the spread of a wiper, limiting the blast radius of a destructive attack.
Protecting against MBR modification can be achieved through UEFI Secure Boot, which prevents unauthorized code from running before the OS loads.
The absolute primary defense against a destructive wiper like Synapse is a robust backup strategy. Organizations must follow the 3-2-1 rule (3 copies, 2 different media, 1 offsite). Crucially, at least one copy must be immutable or air-gapped. This means it cannot be altered or deleted by a compromised system or credential. Cloud-based immutable storage or physical tape backups are effective options. Restoration procedures must be tested regularly to ensure that a full recovery is possible in a disaster scenario. Against Synapse, backups are not just a mitigation; they are the only path to recovery.
To counter the MBR-wiping capability of Synapse, organizations should enforce UEFI Secure Boot on all modern endpoints. Secure Boot is a security standard that ensures a device boots using only software that is trusted by the OEM. It works by validating the digital signature of the bootloader before it is executed. This feature directly prevents malware like Synapse from overwriting the legitimate Master Boot Record or bootloader with its own malicious code, thus preserving the system's ability to boot and thwarting a key part of the destructive payload.
Since the initial vector for Synapse was a compromised software update, application control is a powerful preventative measure. By implementing an executable allow-listing policy, organizations can ensure that only known, trusted, and properly signed applications are allowed to run. A trojanized software update, unless the attackers also compromised the signing keys, would have a different signature or be unsigned, and would thus be blocked from executing. This stops the attack at the earliest possible stage, before the wiper has a chance to run.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.