CryWiper Disguises as Ransomware Attacks Russian Organizations
Category: Critical Infrastructure Security | Industry: Critical Infrastructure | Level: Strategic | Source: Kaspersky
Researchers from Kaspersky, discovered a new data destruction malware, dubbed CryWiper, which while disguising itself as ransomware and demanding financial compensation for "decryption," the malware actually renders recovery impossible. CryWiper, was first observed in the fall of 2022, when it was deployed against an organization in the Russian Federation. When executed, the data wiper creates a scheduled task and connects with the attacker's command and control, waiting for a 'run' or 'do not run' string for its execution. When executed to destroy files, "CryWiper generates a sequence of data using the well-known pseudo-random number generator "Mersenne Vortex," and writes this data instead of the original file content." Corrupted files are identified with an .CRY file extension. To further inhibit system recovery, the malware deletes shadow copies and disables RDP connections to prevent remote IT support. Despite a ransom note providing a Bitcoin wallet, the wiper's destruction of files is not reversible.