There’s a story out of Venezuela this week that didn’t make the U.S. evening news, but it should be on every small business owner’s radar. Not because Venezuela is around the corner – but because the techniques used in the attack are about as universal as it gets. They work against any unprotected Windows network on the planet.

Researchers at Kaspersky have just published their analysis of a brand-new piece of malware called Lotus Wiper, used in a destructive campaign against Venezuela’s energy and utilities sector at the end of 2025 and into early 2026. The word “wiper” is the important part. This isn’t ransomware. There’s no demand for money, no decryption key on offer, no negotiation. The goal is simply to destroy.

What Lotus Wiper Actually Does

The attack runs in stages, and what’s striking is how many of them use tools that come built into Windows itself – the same tools your IT person uses every day.

First, two batch scripts run across the network to weaken defenses. They disable user accounts, force everyone logged in to log off, block cached logins, and shut down network interfaces to isolate machines so they can’t call for help.

Then the wiper itself fires. And it doesn’t just delete files – it goes after the very things that would let you recover:

• Deletes Windows restore points through the System Restore API. Your built-in safety net is gone.
• Overwrites every sector of every physical drive with zeroes using low-level disk commands. This is not a “send to recycle bin” operation. The data is gone at the physical level.
• Clears the USN journal, which Windows uses to track file changes. Forensics teams use this to figure out what happened. It’s wiped.
• Renames files to random characters and force-deletes them. Locked files get scheduled for deletion the next time the machine reboots.
• Fills any remaining free space with junk data to prevent file recovery tools from rescuing anything.
• Repeats the disk destruction multiple times just to be sure.

When Lotus Wiper finishes, the affected machines aren’t just down. They’re gone. The data isn’t recoverable from the local disk. Restore points are deleted. Shadow copies are deleted. The Windows file system itself has been overwritten and shredded. There is nothing to bring back.

Why a U.S. Small Business Should Care About a Venezuelan Attack

Two reasons.

First, malware doesn’t stay in its country of origin. Code that works in Caracas works in Charlotte. Once a destructive technique is documented and circulating, criminal groups copy it, modify it, and aim it at softer targets. The original Lotus Wiper appears to be politically motivated – tied to regional tensions in the Caribbean. But the playbook is now public. The next group to use a wiper like this may not care about politics at all. They may just want to hurt a business that didn’t pay extortion or that ticked off the wrong person.

Second, every technique Lotus Wiper uses works on any Windows network that hasn’t been hardened against it. The batch scripts that disable defenses use commands any Windows administrator would recognize. The disk-wiping commands are built-in tools that are normally used for legitimate purposes. The attack doesn’t require some exotic zero-day. It requires that the bad guys get a foothold on your network, and that nothing is watching closely enough to stop them before they pull the trigger.

For a small business, that means three layers of defense need to be in place. Each one matters. Each one fails differently when it’s not there.

Layer One: Backups That Survive the Attack

This is where most small businesses are most exposed – and it’s where Lotus Wiper hits hardest.

An external hard drive sitting on the shelf next to the server doesn’t help you if the wiper reaches it. A USB backup that gets plugged in once a week doesn’t help if it’s plugged in when the attack runs. Even a “cloud backup” that uses standard Windows file sharing can be reached and destroyed by malware that’s already inside your network, because to the attacker it just looks like another drive letter to wipe.

What you need is a backup that the malware cannot reach, modify, or delete – even if the attacker has full administrator access to your servers. That means offsite. That means immutable (the backup files cannot be altered or erased once they’re written). And it means tested – because a backup you’ve never restored from is a hope, not a plan.

This is exactly what Pendergrass Consulting Cloud Backup is built for. Your data is backed up offsite to our private cloud infrastructure on a schedule – up to hourly snapshots for businesses that can’t afford to lose a day’s work. The backups are stored in a way that ransomware and wipers cannot reach from your local network. And we test restores so you know recovery actually works before you ever need it.

If a wiper hit your network tomorrow, the question isn’t whether you’d lose data. You would. The question is whether you’d be back up and running by the end of the week – or whether you’d be calling your customers to explain that everything is gone.

Layer Two: Someone Watching the Network

The other thing about Lotus Wiper – and most attacks like it – is that the destruction is the last step. Before the wiper fires, the attackers spend time inside the network. They get in. They look around. They escalate privileges. They map out where the important data lives. They disable defenses. Then they destroy.

Kaspersky’s own report on Lotus Wiper lists the warning signs that show up before the wiper runs: changes to NETLOGON share permissions, mass user account changes, network interfaces being disabled unexpectedly, and unusual use of Windows commands like diskpart, robocopy, and fsutil. Every one of those is a signal that something is wrong – if someone is looking.

For most small businesses, nobody is looking. The firewall is set-and-forget. The antivirus runs on its own. There’s no one reviewing logs, no one watching for unusual activity, no one to notice that an account that hasn’t logged in for six months suddenly has administrator privileges at 2 a.m. on a Saturday.

That’s the part our cybersecurity service is built around. We monitor what’s happening inside your network, harden the configurations that wipers and ransomware exploit, and catch the early-stage activity that comes before the destructive payload runs. The goal is not just to react after something bad happens. The goal is to never let it get that far.

Layer Three: The People Who Open the Door

Almost every attack like this starts the same way – someone clicked something they shouldn’t have, opened an attachment they didn’t recognize, or handed over a password to a fake login page. Attackers don’t usually pick a lock when they can just convince an employee to open the door.

Phishing emails today are not the obvious “Nigerian prince” scams of fifteen years ago. They look like real messages from real vendors. They reference real projects. Some are AI-generated and customized to your specific industry. The training your team got when they were hired – if they got any at all – is no longer enough.

We provide security awareness training for employees that’s built for small business teams – not enterprise compliance theater. Short sessions, real examples of current scams, simulated phishing tests so employees learn what to watch for in a safe environment, and clear reporting so you know who’s getting it and who needs another round. Trained employees are the cheapest, most effective security control there is – and the one most small businesses skip entirely.

The Honest Bottom Line

You don’t need to be in Venezuela’s energy sector for this story to matter to you. The techniques are public now. The tools are free. The targets – any business with a Windows network and something worth destroying – are everywhere.

The good news is that the defense isn’t complicated, and it doesn’t require an enterprise security budget. It requires three things working together: backups the malware can’t touch, someone watching the network, and employees who know what a phishing email looks like. Any one of those three saves you from most of what’s out there. All three together makes you a very hard target.

If you’re not sure where you stand on any of these, that’s the conversation worth having. There’s no charge and no commitment – just a real assessment of where your gaps are and what it would take to close them.

Pendergrass Consulting
Phone: 252-432-3325
Email: Sales@PendergrassConsulting.com
110 S. Massey St., Suite 201, Selma, NC 27576

Pendergrass Consulting is a full-service IT firm based in Selma, NC, serving small businesses across the Research Triangle, Johnston County, and nationally for web, hosting, email, cloud backup, cybersecurity, and digital marketing services.