A new variant of data-wiping malware, identified as CryWiper, has emerged and is specifically targeting Russian government institutions, such as mayoral offices and courthouses. Unlike traditional ransomware that encrypts data, CryWiper masquerades as ransomware but ultimately destroys data without providing any means of recovery.
Kaspersky researchers Fedor Sinitsyn and Janis Zinchenko detailed the malware’s operations, stating that while it prompts targets for payment under the pretext of recovering encrypted files, it actively corrupts data instead. This deviation highlights the malware’s malicious intent, as it leads to irreversible data loss.
Further insights were provided by the Russian publication Izvestia. As of now, the attacks have not been linked to any specific threat group, leaving room for speculation regarding the perpetrators behind this sophisticated assault.
CryWiper is built using C++ and gains persistent access to systems via scheduled tasks. It also connects to a command-and-control (C2) server, allowing attackers to orchestrate its destructive actions remotely. The malware has been designed to terminate processes tied to vital services such as databases and email servers while deleting shadow copies of files and modifying the Windows Registry. These actions are likely executed to hinder any immediate incident response from affected organizations.
The malware’s wiper functionality goes further, corrupting virtually all files except for those with specific extensions, including “.exe,” “.dll,” “.lnk,” “.sys,” and “.msi.” Moreover, it avoids critical system directories such as C:\Windows and Boot, indicating a strategic choice to retain some level of system operability while rendering user data irretrievable.
After corrupting files with random data, CryWiper appends the “.CRY” extension to the affected files, creating an illusion of a ransomware operation. Accompanying this is a ransom note, demanding payment in Bitcoin for alleged data decryption, which is misleading given the malware’s true destructive nature.
The implications of the CryWiper incidents remind stakeholders that paying a ransom does not ensure data recovery. As the researchers emphasized, the malware’s design is inherently destructive, proving that it can obliterate crucial information without recourse for victims.
This malicious code adds to the list of retaliatory wiper malware targeting Russian entities, following the earlier discovery of RURansom, which utilized .NET coding and was reported earlier this March.
The ongoing conflict between Russia and Ukraine continues to stimulate a surge in various cyber offenses, including a series of wipers like WhisperGate, HermeticWiper, and several others. Cybersecurity experts, such as Trellix researcher Max Kersten, note that the simplicity of deploying wiper malware can lead to extensive damage, as even basic iterations can effectively disrupt systems. The minimal development time for such tools, especially when compared to more complex breaches, underscores the risks posed by these cyber threats.
