CryWiper data wiper targets Russian courts and mayors' offices
Although it appears as ransomware, the threat actually destroys data on a target system.
Threat actors are using a new malware to attack Russian courts and mayoral offices, with the intention of completely erasing all the data on affected computers.
The new wiper, first uncovered by Kaspersky, initially appears as ransomware. The researchers named it CryWiper, due to the fact that it adds .cry file extension to files it corrupts.
"In the fall of 2022, our solutions detected attempts by a previously unknown Trojan, which we named CryWiper, to attack an organisation's network in the Russian Federation," Kaspersky said in its new report.
Russian news website Izvestia says the malware has been used in attacks on Russian mayor's offices and courts.
CryWiper is a Windows executable programme written in C++. The malware file is named "browserupdate.exe" and configured to abuse several WinAPI function calls.
After it has successfully infected a system, it modifies files and appends the extension .CRY to each one.
It generates a README.txt file with a ransom note, which includes the infection ID, Bitcoin wallet address and contact e-mail address for the malware's makers.
The ransom message demands 0.5 Bitcoin, or around $8,000, for data descryption. Unfortunately for victims this is a false promise, since it is impossible to recover the corrupted data.
We have previously seen malware strains that unintentionally evolved into wipers, normally due to their creators' poor implementation of encryption algorithms. That is not that case with CryWiper, however.
According to Kaspersky, CryWiper's data-wiping feature is a deliberate tactic to erase data. The Trojan overwrites the files with pseudo-randomly generated data, rather than encrypting them.
CryWiper's corrupton algorithm is based on Mersenne Twister, a pseudorandom number generator. IsaacWiper uses the same algorithm, although researchers found no further link between the two strains.
CryWiper corrupts any data that is not essential for the functioning of the operating system. It doesn't alter files with the .dll, .exe, .msi, or .sys extensions. Additionally, it doesn't touch other system folders stored in the C:\Windows directory; its main targets are databases, documents and archives. To help achieve this aim, it removes shadow copies of documents on the C: drive to prevent their restoration.
The malware can create scheduled tasks to run the wiper every five minutes. It also sends the name of the targeted device to a C2 server and then waits for a command before beginning an attack.
Additionally, CryWiper stops the processes of Active Directory online services, Exchange mail servers, SQL databases and MySQL servers. It also disables RDP remote access protocol, probably to make incident response teams' jobs more difficult.
According to Kaspersky, CryWiper does not seem to be related with any of the new wiper families emerging this year like DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain and Industroyer2.
Kaspersky advises carefully managing connections to your infrastructure, including public networks, via remote access.
Additionally, users should utilise antivirus applications with active malware protection, which will aid in the detection and elimination of any dangerous programmes before they have a chance to do any harm.