CRY, CRY, CRY — Never-before-seen malware is nuking data in Russias courts and mayors offices CryWiper masquerades as ransomware, but its real purpose is to permanently destroy data.

Dan Goodin – Dec 2, 2022 8:57 pm UTC Enlarge reader comments 77 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit

Mayors’ offices and courts in Russia are under attack by never-before-seen malware that poses as ransomware but is actually a wiper that permanently destroys data on an infected system, according to security company Kaspersky and the Izvestia news service.

Kaspersky researchers have named the wiper CryWiper, a nod to the extension .cry that gets appended to destroyed files. Kaspersky says its team has seen the malware launch pinpoint attacks on targets in Russia. Izvestia, meanwhile, reported that the targets are Russian mayors’ offices and courts. Additional details, including how many organizations have been hit and whether the malware successfully wiped data, werent immediately known.

Further ReadingShamoon wiper malware returns with a vengeanceWiper malware has grown increasingly common over the past decade. In 2012, a wiper known as Shamoon wreaked havoc on Saudi Arabia’s Saudi Aramco and Qatar’s RasGas. Four years later, a new variant of Shamoon returned and struck multiple organizations in Saudi Arabia. In 2017, self-replicating malware dubbed NotPetya spread across the globe in a matter of hours and caused an estimated $10 billion in damage. In the past year, a flurry of new wipers appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.

Kaspersky said it discovered the attack attempts by CryWiper in the last few months. After infecting a target, the malware left a note demanding, according to Izvestia, 0.5 bitcoin and including a wallet address where the payment could be made. EnlargeKaspersky

After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for decrypting data, does not actually encrypt, but purposefully destroys data in the affected system, Kasperskys report stated. Moreover, an analysis of the Trojan’s program code showed that this was not a developer’s mistake, but his original intention. Advertisement

CryWiper bears some resemblance to IsaacWiper, which targeted organizations in Ukraine. Both wipers use the same algorithm for generating pseudo-random numbers that go on to corrupt targeted files by overwriting the data inside of them. The name of the algorithm is the Mersenne Vortex PRNG. The algorithm is rarely used, so the commonality stuck out. EnlargeKaspersky

CryWiper shares a separate commonality with ransomware families known as Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. Specifically, the email address in the ransom note of all three is the same.

The CryWiper sample Kaspersky analyzed is a 64-bit executable file for Windows. It was written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. Thats an unusual choice since its more common for malware written in C++ to use Microsofts Visual Studio. One possible reason for this choice is that it gives the developers the option of porting their code to Linux. Given the number of specific calls CryWiper makes to Windows programming interfaces, this reason seems unlikely. The more likely reason is that the developer writing the code was using a non-Windows device.

Successful wiper attacks often take advantage of poor network security. Kaspersky advised network engineers to take precautions by using: Behavioral file analysis security solutions for endpoint protection. Managed detection and response and security operation center that allow for timely detection of an intrusion and take action to respond. Dynamic analysis of mail attachments and blocking of malicious files and URLs. This will make email attacks, one of the most common vectors, more difficult. Conducting regular penetration testing and RedTeam projects. This will help to identify vulnerabilities in the organization’s infrastructure, protect them, and thereby significantly reduce the attack surface for intruders. Threat data monitoring. To detect and block malicious activity in a timely manner, it is necessary to have up-to-date information about the tactics, tools, and infrastructure of intruders.

Given Russias invasion of Ukraine and other geopolitical conflicts raging around the globe, the pace of wiper malware isnt likely to slow in the coming months.

In many cases, wiper and ransomware incidents are caused by insufficient network security, and it is the strengthening of protection that should be paid attention to, Fridays Kaspersky report stated. We assume that the number of cyberattacks, including those using wipers, will grow, largely due to the unstable situation in the world. reader comments 77 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin Email dan.goodin@arstechnica.com Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars