HQ/EMEAFind out how we can help your business
Russian courts and mayor’s offices are the prime targets of the new CryWiper data wiper, which initially masquerades as ransomware but will destroy the victims’ files beyond recovery. Researchers first detected CryWiper’s first attack attempts in the third quarter of 2022 after attacking a network of an organisation in the Russian Federation.
Originally believed to be a ransomware strain, the researchers’ analysis found that CryWiper’s tactics of destroying victims’ data are not a mistake but its actual intention.
The CryWiper data wiper is configured to exploit WinAPI function calls.
Written in C++, CryWiper’s operators have configured it to exploit WinAPI function calls. It is a 64-bit Windows executable that creates a scheduled task to run once inside a compromised computer every five minutes.
The CryWiper data wiper can also communicate with an attacker-controlled remote C2 server to receive commands. Some analysts found a delay of up to 4 days in some operations, which they believed was done to confuse victims about the infection.
The data wiper will stop all processes related to MS SQL database servers, MySQL, MS Exchange email servers, and MS Active Directory to free all the victims’ locked data, ready for destruction. Shadow copies will also be deleted to prevent the victims from restoring their files easily.
Furthermore, the data wiper can modify the Windows Registry to prevent RDPs from connecting to the computer and thwart security teams from taking action.
However, it seemed that the CryWiper’s operators did not aim to render a victim’s computer unusable since, in all its attacks, it excepts from corrupting files under [.]exe, [.]dll, [.]lnk. [.]sys, [.]msi, and its own [.]CRY files. CryWiper data wiper also skips Windows, System, and Boot directories.
Researchers also found that the algorithm used for CryWiper’s file corruption process is based on ‘Mersenne Twister,’ as also previously seen used by another data wiper strain called ‘IsaacWiper.’
The data wiper’s operators also generate a ransom note, although analysis shows that all corrupted files cannot be recovered even if the victims pay the demanded ransom worth 0.5BTC or around $8,000.
The destruction brought by the CryWiper data wiper poses a massive risk among its victims. Therefore, all targeted victims, specifically the local Russian offices, are warned to be cautious against cyberattack attempts and enhance their security measures.
