Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Ransomware

Fresh CryWiper Wiper Malware Aims to Destroy Russian Data

Fake Ransomware Isn't First Wiper to Target Windows Systems in Russia for Deletion
Fresh CryWiper Wiper Malware Aims to Destroy Russian Data
CryWiper ransom note (Source: Kaspersky)

Russian computer networks are being stalked by a new Trojan that purports to be ransomware but is really designed to wipe systems and leave them unrecoverable.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The malware has been dubbed CryWiper by Moscow-based cybersecurity firm Kaspersky, which says it recently spotted the malicious code in the wild.

"At the first glance, this malware looks like ransomware: it modifies files, adds a .cry extension to them - unique to CryWiper, and saves a README.txt file with a ransom note, which contains the bitcoin wallet address, the contact email address of the malware creators and the infection ID," it reports.

But the whole thing is a ruse, since "a file modified by CryWiper cannot be restored to its original state - ever," it says. "So if you see a ransom note and your files have a new .CRY extension, don't hurry to pay the ransom: it's pointless."

Russian daily newspaper Izvestia reports that systems at "mayor's offices and courts" are among the organizations that have been infected with the fake ransomware, which demands 0.5 bitcoins - $8,050 - for a decryption key.

"Wipers are especially dangerous, as it is often impossible to restore the operability of the compromised infrastructure," says Oleg Skulkin, head of digital forensics and incident response team at Singapore-based cybersecurity firm Group-IB. "The attackers often do not have financial reward as their modus operandi, meaning that their core motivation is not to have the victim pay a ransom to restore their files."

CryWiper is the latest in a long line of new wipers that have debuted in the lead-up to and following Russia's military invasion of Ukraine on Feb. 24.

"The emergence of another wiper, disguised as a ransomware program, is not a surprise," Skulkin says.

Nor is this the first wiper malware to be seen targeting Russia. Days after Russia invaded, for example, security researcher group MalwareHunterTeam reported seeing multiple versions of Russia-targeting malware called RURansom in the wild. It said the malware was designed to verify that an infected system had a Russian IP address before allowing the payload to trigger.

CryWiper Wipes Windows in Russia

CryWiper is a 64-bit executable file for the Windows operating system.

"After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for 'decrypting' data, does not actually encrypt, but purposefully destroys data in the affected system," Kaspersky researchers Fedor Sinitsyn and Yanis Zinchenko say in a blog post. "Moreover, an analysis of the Trojan's program code showed that this was not a developer's mistake, but his original intention."

Specifically, the Trojan is designed to overwrite most files with "pseudo-randomly generated data."

It is designed to encrypt files types that are not required to run the OS. "The malware focuses on databases, archives, and user documents," Kaspersky reports.

CryWiper includes a number of capabilities, Kaspersky reports:

  • Uses Task Scheduler to launch the wiper every 5 minutes;
  • Relays the name of an infected system to a command-and-control server and must receive a command to proceed before it begins wiping the infected system;
  • Halts multiple database, Exchange server and Active Directory web services, "otherwise access to some files would be blocked and it would be impossible to corrupt them";
  • Deletes shadow copies of files on the "C" drive to make recovery more difficult;
  • Disables remote connections to the system via Remote Desktop Protocol, although the purpose of this "isn't entirely clear" but may be designed to force incident response teams to have to gain physical access to remediate infected systems.

Multiple Wipers Seen This Year

Before this year, wiper malware remained relatively rare but nevertheless could be extremely damaging. Take NotPetya, a wiper attributed by Western intelligence agencies to Russian military intelligence that was used to target Ukraine in 2017. The fake ransomware spread out of control, ultimately causing an estimated $10 billion in commercial damage worldwide.

In the past year, "attacks of this sort erupted with renewed vigor," Skulkin says. Variants were fielded by groups tied to or affiliated with both Russia and Ukraine (see: Cybersecurity Picture Inside Russia Grows More Complicated).

"Ukrainian organizations were targeted with, for example, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero, while hacktivists regularly targeted Russian organizations with ransomware based on Conti and LockBit source codes that were leaked into the public space, along with legitimate tools such as BitLocker and DiskCryptor," he says.

With the Russia-Ukraine war now in its ninth month and no peace talks in sight, it's likely that more new wipers will be spotted in the wild.

Translated note dropped by RURansom wiper malware, which only targets systems in Russia (Source: Trend Micro)

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.