CryWiper Masquerading as Ransomware to Target Russian Courts

Threat actors are targeting Russian Mayors’ courts and offices with a new malware called CryWiper that appears as ransomware. In reality, it’s a wiper that can destroy all the data on an infected system permanently.

This reminds us of Microsoft’s report in January 2022 in which a “destructive malware” was faking ransomware infection to target Ukrainian tech organizations, government agencies, and non-profit organizations.

Campaign Analysis

Cybersecurity firm Kaspersky and the Izvestia news service’s researchers have revealed startling details of how a new wave of attack has surfaced involving a brand-new trojan. It showcases ransomware-like features such as file modification, adding .CRY extension to the files and saving a README.txt file and a ransom note.

The note contains a bitcoin wallet address, the infection ID, and the email ID of the malware creators. However, these are deceptive measures employed by the attackers because CryWiper isn’t ransomware but a wiper, which is why researchers dubbed it CryWiper.

CryWiper Masquerading as Ransomware to Target Russian Courts — CryWiper ransom note (Image: Kaspersky)

The files, according to researchers, it modifies cannot be restored to their previous/original state. So, it is pointless even to consider paying the ransom.

Pinpoint Targets

In their report, Kaspersky researchers noted that CryWiper launches ‘pinpoint attacks’ on targets based in Russian Federation, whereas Izvestia noted that the targets are mayors’ courts and offices in Russia.

Reportedly, this wiper corrupts any data that isn’t essential for the operating systems’ functioning. Such as it doesn’t modify files with extensions .dll, .exe, .msi, or .sys. Kaspersky discovered the attacks in the past few months.

Moreover, it avoids affecting various system folders stored in the C:Windows directory. That’s because its main targets are user documents, archives, and databases.

Why CryWiper Leaves a Ransom Note?

Izvestia identified that after infecting a system successfully, CryWiper left a note demanding 0.5 bitcoin and a wallet address to transfer funds. Kaspersky researchers explained that although it extorts money from its targets for data decryption, it doesn’t encrypt data but destroys its completely. They further observed that this wasn’t a mistake but the developer’s original intention.

How does it Work?

CryWiper resembles IsaacWiper, using the same algorithms to generate pseudo-random numbers for directly corrupting targeted files and overwriting data. In this instance, the wiper directly rewrites the file contents replacing the original with garbage.

Then, It creates a task in the Task Scheduler to restart the wiper every 5 minutes. CryWiper can also send the targeted device’s name to a C2 server and wait for a command from the server to start the attack.

Furthermore, CryWiper halts processes of MS SQL databases and MySQL servers, MS Active Directory web services, and MS Exchange mail servers. It deletes shadow copies of documents on the C: drive only to prevent their restoration. It also disables the infected system’s connection through RDP remote access protocol, probably to complicate the job of incident response teams.

Protection from ransomware and Wipers

To protect yourself or your business from ransomware and data wipers, the first step in protecting yourself from data wipers is to back up your files regularly. This will allow you to restore any lost or damaged data if it does become compromised.

Kaspersky recommends carefully controlling remote access connections to your infrastructure including public networks. You should also use antivirus software with active malware protection, which will help detect and remove any malicious programs before they can cause damage.

Additionally, you should set up strong passwords for all accounts associated with sensitive data and check for suspicious activity on them regularly.