Go to listing page

CryWiper: Wiper Hidden in Disguise of Ransomware Targets Russian Federation

CryWiper: Wiper Hidden in Disguise of Ransomware Targets Russian Federation
Attackers often try to hide their tracks and original intentions to successfully pull off a cyberattack. Kaspersky researchers found a new piece of data-wiping malware named CryWiper that targets Russia’s mayor's offices and courts, by pretending to be ransomware.

About CryWiper

CryWiper is a 64-bit Windows executable that is developed in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler.
  • Upon execution, the file creates scheduled tasks to run its own file every five minutes on the compromised machine. Next, it contacts a C2 server using an HTTP GET request and passes the name of the infected computer as a parameter.
  • The C2 responds with either a run or do not run command, determining whether the wiper will immediately start a malicious activity or stay dormant. 
  • When “do not run” response is received, the wiper sleeps, usually for around 4 days, before the next execution.

A ‘catch’ with the ransom demand

According to Kaspersky researchers, CryWiper masquerades as ransomware and demands 0.5 Bitcoin (approximately $8,000) ransom in exchange for a decryptor. However, it purposefully destroys the contents of files in the affected system, which makes data non-recoverable.

Wiping the data

CryWiper will stop processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free the data locked by these processes, for destruction.
  • It further deletes shadow copies to prevent the easy restoration of the wiped files. It changes the Windows Registry to prevent connections to the system via RDP to hinder intervention and incident response from security and IT specialists.
  • It corrupts the user files using Mersenne Vortex and destroys them. It adds an additional .CRY extension to files with corrupted content.
  • It skips files with .exe, .dll, lnk, .sys, .msi, and .CRY extensions and files located in specific directories such as C:\Windows, tmp, wins, temp, thumb, System Volume Information, Boot, Windows, and Trend Micro.

Conclusion

CryWiper propagates itself as ransomware, however, it functions as a data wiper. Its a standing example that paying the ransom does not guarantee the recovery of files. Real-time threat detection, regular penetration testing, and regular backup can significantly reduce the attack surface for attackers.
Cyware Publisher

Publisher

Cyware