CryWiper, a new data eraser malware, has been discovered targeting Russian government agencies, such as the mayor’s offices and courts.
“Although it masquerades as ransomware and extorts money from the victim for ‘decrypting’ data, [it] does not actually encrypt, but instead destroys data in the affected system,” wrote Fedor Sinitsyn and Janis Zinchenko of Kaspersky Lab in a report.
Izvestia, a Russian-language news publication, divulged additional information about the attacks. The intrusions have not yet been attributed to a particular hostile group.
CryWiper, a C++-based malware, is programmed to establish persistence via a scheduled task and to communicate with a command-and-control (C2) server to initiate malicious activity.
In an attempt to obstruct incident response efforts, in addition to terminating processes related to database and email servers, the malware is equipped to delete shadow copies of files and modify the Windows Registry to prevent RDP connections.
As a final step, the wiper corrupts all files except those with the “.exe,” “.dll,” “link,” “.sys,” and “.msi” extensions, while skipping specific directories such as C: Windows, Boot, and tmp, which would otherwise render the system inoperable.
The files overwritten with garbage data are appended with the extension “.CRY,” and a ransom note is then dropped to give the impression that it is a ransomware program, demanding that the victim pay 0.5 Bitcoin to regain access.
“The activity of CryWiper demonstrates once again that paying the ransom does not guarantee the recovery of files,” researchers stated, adding that the malware “deliberately destroys the contents of files.”
CryWiper is the second retaliatory wiper malware strain targeting Russia, following RURansom, a.NET-based wiper discovered in March targeting entities in the country.
The ongoing conflict between Russia and Ukraine has resulted in the deployment of multiple wipers, including WhisperGate, HermeticWiper, AcidRain, IsaacWiper, CaddyWiper, Industroyer2, and DoubleZero, among many others.
“Wipers can be effective regardless of the technical expertise of the attacker, as even the most basic wiper can wreak havoc on affected systems,” Trellix researcher Max Kersten said last month in an analysis of destructive malware.
“In comparison to complex espionage backdoors and the frequently used vulnerabilities that accompany them, the amount of time needed to create this type of malware is minimal. In such cases, the return on investment need not be high, as it is unlikely that a few windshield wipers will cause that much damage.”
