Companies infected with purported ransomware may no longer have an option to pay a ransom.
A new malicious program acts exactly like crypto-ransomware — overwriting and renaming files, then dropping a text file with a ransom note and a Bitcoin address for payment — but the program instead deletes the contents of a victim’s files. The program, CryWiper, currently targets Russian organizations but could easily be used against companies and organizations in other nations, according to cybersecurity firm Kaspersky, which analyzed the program.
The camouflaged wiper program continues a trend in ransomware being used — intentionally or inadvertently — as a wiper, the company’s researchers stated in the analysis.
“In the past, we’ve seen some malware strains that became wipers by accident — due to mistakes of their creators who poorly implemented encryption algorithms,” the researchers wrote. “However, this time it’s not the case: our experts are confident that the main goal of the attackers is not financial gain, but destroying data. The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data.”
Malware that deletes critical data, referred to as wipers, have become a significant threat for both the private and the public sector. Wipers have been used by Russian agencies in the conflict with Ukraine in an attempt to disrupt the country’s critical services and their defensive coordination. A decade ago, Iran used the Shamoon wiper program to encrypt and make useless more than 30,000 hard drives at rival nation Saudi Arabia’s state-owned oil conglomerate, Saudi Aramco.
The latest attack targeted a Russian organization, the Kaspersky researchers stated in their analysis, suggesting that it could be retribution by Ukrainian forces or partisan hackers.
“Given the blanket cover that is used — pretending to be ransomware — and the limited time it takes to write a simple wiper, it seems like anyone can be behind this attack,” Max Kersten, a malware researcher at cybersecurity firm Trellix. “Kaspersky indicates the victims are Russian, meaning anti-Russian activists, pro-Ukrainian activists, Ukraine as a state, or states supporting Ukraine, could be behind it, as I see it.”
Fake Ransomware or Lazy Criminals?
CryWiper is the latest attack program that appears to be ransomware but actually acts as a wiper instead. While past examples often deleted data because of a developer error, CryWiper’s creator intended its functionality, according to a translation of Kaspersky’s Russian analysis.
“After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for ‘decrypting’ data, does not actually encrypt, but purposefully destroys data in the affected system,” Kaspersky stated. “Moreover, an analysis of the Trojan’s program code showed that this was not a developer’s mistake, but his original intention.”
CryWiper is not the first ransomware program to overwrite data without allowing for its decryption. Another recently discovered program, W32/Filecoder.KY!tr, also overwrites files, but in this case, because of poor programming, the data cannot be recovered.
“The ransomware was not intentionally turned into a wiper. Instead, the lack of quality assurance led to a sample that did not work correctly,” Fortinet researcher Gergely Revay stated in an analysis. “The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes — or is even closed — there is no way to recover the encrypted files.”
Similarities to Previous Ransomware
CryWiper appears to be an original piece of malware, but the destructive malware uses the same pseudo-random number generator (PRNG) algorithm as IsaacWiper, a program used to attack public-sector organizations in Ukraine, while CryWiper appears to have attacked a group in the Russian Federation, Kaspersky stated the Russian analysis.
Several variants of the Xorist ransomware family and the Trojan-Ransom.MSIL.Agent family used the same email address in the note left behind by the CryWiper following its corruption of data, but Trellix’s Kersten believes that could have intended to cause confusion.
“The re-use of the email address in the ransom note in different samples could be done to throw off analysts who are looking to connect the dots, or it could be an actual mistake,” he says. “The latter, I think, is less likely as the malware’s code contains some mistakes showing it hasn’t been tested thoroughly, which makes me think the creator [or creators] were under the pressure of time.”
In the past, companies targeted with ransomware have agonized over the decision of whether to pay ransomware groups to use backups and offline copies to recover from a crypto-ransomware event.
“CryWiper positions itself as a ransomware program, that is, it claims that the victim’s files are encrypted and, if a ransom is paid, they can be restored. However, this is a hoax: in fact, the data is destroyed and cannot be returned,” Kaspersky stated. “The activity of CryWiper once again shows that the payment of the ransom does not guarantee the recovery of files.”
