New CryWiper Data Wiper Malware Posing as Ransomware Targets Russian Courts
Reading Time: 2 minutes

A new CryWiper Data wiper malware posing as ransomware targets Russian government agencies, this includes the mayors offices and courts. 

Kaspersky researchers Fedor Sinitsyn and Janis Zinchenko in a write-up said, “Although it disguises itself as a ransomware and extorts money from the victim for ‘decrypting’ data, [it] does not actually encrypt, but purposefully destroys data in the affected system.”

Additionally the Russian-language news publication Izvestia also shared details of the attack. The attacks have been attributed to a specific adversarial group as of now. 

CryWiper, C++-based malware, is configured to establish persistence via a scheduled task and communicate with a command-and-control (C2) server to initiate the malicious activity.

The CryWiper malware has the ability to terminate processes related to database and email servers, delete the shadow copies of files, and modify the Windows Registry to prevent RDP connections in a likely attempt to obstruct incident response efforts.

The wiper then corrupts all files with the exception of those with “.exe,” “.dll,” “lnk,” “.” “sys”, and “.msi” extensions and focuses on skipping certain folders, such as C:\Windows, Boot, and tmp to prevent system malfunction.

The fake encryption software appends the name “.CRY” to the file followed by a ransom note in order to give the impression it’s a ransomware program. The ransom note urges you to pay 0.5 bitcoins in order to recover access to your files.

“The sudden activity of CryWiper and the payment of a ransom does not mean that files will be recovered,” researchers said, citing the malware’s “deliberate destruction of file contents.”

CryWiper is the second known wiper that was created to retaliate against Russia after RURansom, a .NET-based wiper targeted at entities in the country.

Ukraine has been the target of multiple wipers deployed by Russia, which have included WhisperGate, HermeticWiper, AcidRain, IsaacWiper, and CaddyWiper.

Attacks using wiping malware can be quite successful regardless of the technical skills of the attacker. It’s so simple that a regular wiper can cause havoc on affected systems, according to Trellix researcher Max Kersten in his analysis earlier this month.

“There is no need for sophistication to create a form of malware,” says Tim Burleigh, state-of-the-art malicious code expert and managing director at cyber security firm Lookout. “The return on investment is not great but with a wave of Wipers hitting the internet, it is enough to cause panic among businesses.”

Related Articles:
Dell, HP, and Lenovo Devices Using Outdated OpenSSL Versions
iSpoof Phone Spoofing Service – UK Police Nab 142 Individuals Linked
Latest Variant RansomExx Ransomware Rewritten in the Rust Programming Language