A previously undocumented data wiper named CryWiper is masquerading as ransomware, but in reality, destroys data beyond recovery in attacks against Russian mayor’s offices and courts.
CryWiper was first discovered by Kaspersky this fall, where they say the malware was used in an attack against a Russian organization.
“In the fall of 2022, our solutions detected attempts by a previously unknown Trojan, which we named CryWiper, to attack an organization’s network in the Russian Federation,” explains the new report by Kaspersky.
However, a report by by Russian media says that the malware was used in attacks against Russian mayor’s offices and courts.
As the code analysis reveals, the data-wiping function of CryWiper isn’t a mistake but a purposeful tactic to destroy targets’ data.
Wiping the victim’s data
CryWiper is a 64-bit Windows executable named ‘browserupdate.exe’ written in C++, configured to abuse many WinAPI function calls.
Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.
Next, it contacts a command and control server (C2) with the name of the victim’s machine. The C2 responds with either a “run” or “do not run” command, determining whether the wiper will activate or stay dormant.
Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection.
CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.
Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files.
CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists.
Finally, the wiper will corrupt all enumerated files except for “.exe”, “.dll”, “lnk”, “.sys”, “.msi”, and its own “.CRY”, while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable.
The algorithm for corrupting the files is based on “Mersenne Twister,” a pseudorandom number generator. This is the same algorithm used by IsaacWiper, but the researchers established no further connection between the two families.
After this step, CryWiper will generate ransom notes named ‘README.txt,’ asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.
Even though CryWiper is not ransomware in the typical sense, it can still cause severe data destruction and business interruption.
Update 11/2/2: Added further information about CryWiper targets (h/t Risky Biz).