CryWiper disguised as ransomware | Kaspersky official blog

Credit to Author: Editorial Team| Date: Fri, 02 Dec 2022 10:57:23 +0000

Our experts have discovered an attack of a new Trojan, which they dubbed CryWiper. On the first glance, this malware acts as a ransomware: it modifies files, adds a .CRY extension to them, and saves a README.txt file with a ransom note, which contains the bitcoin wallet address, the contact e-mail address of the malware creators, and the infection ID. However, in fact, this malware is a wiper — a file modified by CryWiper cannot be restored to its original state ever. So if you see a ransom note, and your files have a new .CRY extension, do not hurry to pay a ransom: it is pointless.

In the past, we have seen some malware strains that became wipers by accident — due to mistakes of their creators who poorly implemented encryption algorithms. However, this time it is not the case: our experts are confident that the main goal of the attackers is not financial gain, but destroying data. The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data.

What CryWiper is hunting for

The Trojan corrupts any data that is not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys, .msi, and ignores several system folders in the C:Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code cannot be used against other targets.

How the CryWiper Trojan works

In addition to directly overwriting the contents of files with garbage, CryWiper also does the following:

  • creates a task that restarts the wiper every 5 minutes using the Task Scheduler;
  • sends the name of the infected computer to the C&C server and waits for a command to start an attack;
  • halts processes related to MySQL and MS SQL database servers, MS Exchange mail server and MS Active Directory web services (otherwise access to some files would be blocked and it would be impossible to corrupt them);
  • deletes shadow copies of files so that they cannot be restored (but for some reason only on the C: drive);
  • disables connection to the affected system via RDP remote access protocol.

The purpose of the latter is not entirely clear. Perhaps this way malware authors tried to complicate the work of incident response team, that will clearly prefer to have a remote access to the affected machine — but instead they will have to get physical access to it. You can find technical details of the attack along with indicators of compromise in a post on Securelist (in Russian only).

How to stay safe

To protect your company’s computers from both ransomware and wipers, our experts recommend the following measures:

  • carefully control remote access connections to your infrastructure: prohibit connections from public networks, allow RDP access only through VPN tunnel, use unique strong passwords and two-factor authentication;
  • update critical software in a timely manner, paying special attention to the operating system, security solutions, VPN clients, and remote access tools;
  • raise security awareness of your employees, for example, using specialized online tools;
  • employ advanced security solutions to protect both work devices and the perimeter of the corporate network.


https://blog.kaspersky.com/feed/