This post is also available in: heעברית (Hebrew)

The version of destructive computer virus Shamoon was being employed to attack computers in Saudi Arabia and other regions in mid-November, as revealed by US Security firms. International sources recently reported that four years ago the same virus attack had caused damage to tens of thousands of computers at Middle Eastern energy companies.

CrowdStrike, Palo Alto Networks Inc and Symantec Corp. warned of the new attacks not long ago but didn’t name any victims of the new version of Shamoon, which disables computers by wiping their master boot records that they use for start up. However, the firms did not disclose the extent of damage caused nor identified the hackers.

FireEye said in a blogpost that its unit “has responded to multiple incidents at other organizations in the region.” A spokesman refused to identify the countries or organisations.

The reappearance of Shamoon is significant as there have only been a handful of other high-profile attacks involving disk-wiping malware, including ones in 2014 on Sheldon Adelson’s Las Vegas Sands Corp. and Sony Corp’s Hollywood studio.

According to defenseworld.net, governments and businesses pay close attention to such cases because it can be time-consuming and expensive to restore infected systems.

This time around, the recent hackers also left a calling card. It was a disturbing image of the body of three year-old Syrian refugee Alan Kurdi, who drowned in the Mediterranean last year, researchers said.

The FireEye spokesman said the malware contains traces which suggest the attackers may have previously conducted intrusions to gather the necessary logins and passwords before later embedding them into the malware for the destructive attack.

In 2012, the Shamoon hackers had dropped images of a burning US flag on machines at Saudi Aramco and RasGas Co Ltd. The attacks were likely conducted by hackers working on behalf of the Iranian government, said CrowdStrike Chief Technology Officer Dmitri Alperovitch. However, it is too early to say whether the same group was behind Shamoon 2, he said.

The motive of the recent attack wave was unclear. “Why Shamoon has suddenly returned again after four years is unknown,” the Symantec Security Response team said on its blog.

“However, with its highly destructive capabilities, it’s clear that the attackers want their targets to sit up and take notice” the team added. The malware  was timely triggered to begin after staff left for the weekend to decrease the chances of discovery and allow maximum damage.

“The malware had potentially the entire weekend to spread,” Palo Alto researcher Robert Falcone said in a blog post.

The motive of the recent attack wave was unclear. “Why Shamoon has suddenly returned again after four years is unknown,” the Symantec Security Response team said on its blog.

“However, with its highly destructive capabilities, it’s clear that the attackers want their targets to sit up and take notice” the team added. The malware  was timely triggered to begin after staff left for the weekend to decrease the chances of discovery and allow maximum damage.