Kaspersky researchers have detected a new CryWiper malware infection masquerading as ransomware targeting court and mayor offices in several Russian regions. The infection is likely a Trojan horse designed to permanently delete data.
CryWiper stands out from typical ransomware in that it scrambles files and demands a ransom payment. Unlike scrambling ransomware, which scrambles files and demands money for ransom, CryWiper wiper malware overwrites victim’s files with random data – meaning those affected by CryWiper cannot be restored even if they pay the ransom.
CryWiper is a Trojan
CryWiper Trojan acts as ransomware and infects computers of government agencies and courts. Once inside, it encrypts files on the infected machine, then demands a ransom be paid in order to restore them.
Kaspersky researchers have detected the malware as a new type of Trojan, designed to steal information on an infected computer. Kaspersky has confirmed that they have observed it attacking Russian mayoral offices and courts.
Kaspersky reports that the malware is designed to steal data on an infected computer, including system information, credentials and screenshots. Additionally, it leaves a ransom note demanding payment in bitcoin for its removal.
Once CryWiper infects a machine, it sends its name to a command-and-control (C2) server, waits for the signal to start, then shuts down MS SQL, MySQL, Active Directory, and mail services. Furthermore, it deletes shadow copies of file systems, disables RDP connections, and encrypts files.
Additionally, it overwrites portions of target files with garbage data in order to make it appear that encrypted data has been lost but in reality has been completely wiped out.
According to Sophos chief security officer Eugene Skulkin, Russian intelligence services often employ wiper malware. It has been seen in attacks against Ukraine – a country which Russia has invaded – and may be used again soon, he adds.
Before this year, wiper malware was relatively uncommon and had a minimal impact on users. But in the last 12 months, Skulkin observes, these types of threats have seen an uptick in activity.
Wipers have thus become an increasingly prevalent threat to organizations and businesses around the world, particularly those that handle sensitive data like financial institutions, healthcare providers, and government agencies.
To protect yourself against wipers, it is essential to regularly back up your files. This can be done either with external storage or using an online backup service.
Aside from online backup, it is essential to guarantee your devices are up-to-date with the newest software and hardware. Furthermore, use antivirus software with active malware protection to detect and eliminate any malicious programs on your endpoints.
It encrypts files
Russian courts have been targeted by CryWiper malware, a ransomware-style attack that masquerades as ransomware but actually wipes data. Cybersecurity researchers say the CryWiper infection deletes all files stored on a victim’s computer, rendering them unrecoverable.
Ransomware typically encrypts data and leaves a ransom note demanding payment to unlock it. But there’s an emerging trend of ransomware variants that also encrypt non-binary files like image, script and text – representing cybercriminal interests.
These types of ransomware can infect a device through phishing emails, malicious downloads or exploits. They also have the potential to spread through compromised network or Internet connections as in the case of a worm or Trojan horse.
Ransomware infections typically begin with a Trojan that detects and infects the target computer. Once there, this malicious software can use social engineering tricks to convince the user to grant them administrative access.
Once on the victim’s computer, the Trojan contacts a command and control (C2) server for activation instructions. This activation command initiates an attack which Kaspersky refers to as a “wiper.”
Wipers have the unique capability of wiping data and making it unrecoverable without payment to attackers. According to virus specialists, wipers may often be employed by cybercriminals as a covert method for their true intentions.
These wipers are often distributed as pirated software and can be particularly hazardous to users who visit warez and crack websites. As a result, malware infections have become an increasingly serious security risk.
However, there are ways to protect against ransomware infections. One is restricting access to shared or network drives which can restrict how many devices a ransomware variant can spread on. Another approach involves not downloading pirated content.
Thirdly, to protect against ransomware it is best to take steps to prevent its infection in the first place. This includes restricting access to shared or network drives, disabling file sharing services and making sure users do not run programs that could potentially become infected with ransomware – particularly when using Windows computers.
It leaves a ransom note
Kaspersky and Russian news outlet Izvestia have reported a new ransomware attack has struck several regions in Russia, targeting judicial courts and mayoral offices. This malware, which the researchers have dubbed CryWiper, is designed to wipe data from infected systems.
CryWiper, like other ransomware programs, displays a ransom note demanding payment from victims in exchange for decrypting files. It does this by encrypting all data stored on infected PCs and appending an unpredictable 8-character extension to each file – rendering them unresponsive for recovery efforts.
Security researchers report that CryWiper doesn’t stop there. The malware also performs data destruction routines, meaning even if victims pay the hackers for their data, they won’t be able to recover it.
CryWiper then transmits the name of the compromised device to a command and control (C2) server, waiting for an activation command to launch an attack. Once it receives this response, CryWiper terminates processes on MySQL and MS SQL database servers, MS Exchange mail services, as well as MS Active Directory web services.
It then deletes shadow copies of documents on the infected device’s C: drive to prevent their restoration. Finally, it creates a task in Windows Task Scheduler to restart the wiper every five minutes.
Although the FBI does not advocate paying ransoms for data recovery, attackers often profit from these requests. They use these funds to finance their operations or support terror groups or money launderers.
Paying ransoms could attract other attackers to the same attack, increasing the damage. Furthermore, publicizing that victims paid a ransom for data recovery may encourage further attacks in the future.
Therefore, if you believe your company has been compromised by ransomware, act quickly to isolate affected devices and scan them with an effective anti-ransomware solution. Doing this not only shields assets from further harm but also keeps employees protected and safe.
It destroys files
CryWiper is a malicious malware that poses as ransomware but has an ulterior motive. According to cybersecurity researchers at Kaspersky Labs, CryWiper deliberately deletes data on infected systems in an effort to conceal its presence.
Russian courts and mayor offices throughout several regions have been targeted by a new data-wiping trojan. Dubbed CryWiper by Kaspersky antivirus maker and local news outlet Izvestia, this malware goes through all the motions of a ransomware attack: scrambling files before leaving behind a ransom note demanding money.
However, victims who pay the attackers won’t be able to recover their files as they will have been permanently deleted – this is why cybersecurity professionals refer to them as “wipers.”
Once infected, the malware sends the system name to a command-and-control (C2) server, waiting for an activation command that launches its attack. It shuts down database servers, mail servers and Active Directory services while wiping out shadow copies of files on the file system. Furthermore, it disables remote desktop protocol (RDP) services that allow users to connect remotely to a computer.
It then encrypts target files using a password and key, appending the encrypted file extension with “Cry.” Afterward, it attempts to extract 0.5 Bitcoin in exchange for decrypting those same files – an approach commonly employed by cybercriminals but never before seen in Russia.
The wiper also terminates processes related to MySQL, MS SQL database servers, MS Exchange email servers and MS Active Directory web services. These applications store data in their databases and emails that must be freed for destruction by the wiper.
At this stage, ransomware also attempts to wipe away a volume shadow copy of files on a Windows host in order to prevent restoration. This method is commonly employed by most ransomware variants; however, wiper is more severe than other variations.
In addition to encrypting the contents of targeted files, the wiper also overwrites parts of them with garbage data – an unusual feature that appears to have been designed intentionally by its developer. You can schedule this wiper in Windows Task Scheduler to restart itself every five minutes for added protection.
