Data‑Wiping Malware “Lotus” Cripples Venezuelan Energy and Utility Firms
What Happened – Researchers at Kaspersky identified a previously unknown data‑wiping malware, dubbed Lotus, that was deployed in late 2025 against energy and utility organizations in Venezuela. The payload overwrites physical drives, removes recovery mechanisms, and renders systems unrecoverable.
Why It Matters for TPRM –
- Destructive malware can cause prolonged service outages for critical‑infrastructure suppliers, impacting downstream business continuity.
- Lack of publicly disclosed attribution highlights the difficulty of assessing geopolitical risk in third‑party relationships.
- The use of publicly‑available distribution channels demonstrates that even low‑tech actors can achieve high‑impact sabotage.
Who Is Affected – Energy & utilities sector in Venezuela (state‑owned oil company PDVSA and other utility firms).
Recommended Actions –
- Review contracts and incident‑response clauses with Venezuelan energy‑sector vendors.
- Verify that critical suppliers maintain immutable backups and offline recovery media.
- Validate that endpoint hardening (e.g., disabling unnecessary services, restricting batch script execution) is enforced.
Technical Notes – The attack begins with two batch scripts that disable Windows services, lock accounts, and shut down network interfaces. A subsequent diskpart clean all command and fsutil file‑filling routine overwrite disks at the sector level. The final payload, the Lotus wiper, issues low‑level IOCTL calls to erase USN journals, restore points, and physical sectors. No CVE is referenced; the technique relies on native Windows utilities. Source: BleepingComputer