New CryWiper malware wipes data in attack against Russian org

Hacker


A previously undocumented data wiper named CryWiper is masquerading as ransomware, extorting victims to pay for a decrypter, but in reality, it just destroys data beyond recovery.


CryWiper was first discovered by Kaspersky this fall, seen in attacks against organizations in the Russian Federation.


"In the fall of 2022, our solutions detected attempts by a previously unknown Trojan, which we named CryWiper, to attack an organization's network in the Russian Federation," explains the new report by Kaspersky.


As the code analysis reveals, the data-wiping function of CryWiper isn't a mistake but a purposeful tactic to destroy targets' data.


Wiping the victim's data


CryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI function calls.


Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.



Creation of scheduled taskCreation of scheduled task (Kaspersky)

Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant.


Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection.


CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.



Services killed by CryWiperServices killed by CryWiper (Kaspersky)

Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files.


CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists.


Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable.


The algorithm for corrupting the files is based on "Mersenne Twister," a pseudorandom number generator. This is the same algorithm used by IsaacWiper, but the researchers established no further connection between the two families.


After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.



Ransom note generated by CryWiperRansom note generated by CryWiper (Kaspersky)

Even though CryWiper is not ransomware in the typical sense, it can still cause severe data destruction and business interruption.


Kaspersky says CryWiper does not seem to be associated with any wiper families emerging in 2022, like DoubleZeroIsaacWiperHermeticWiperCaddyWiperWhisperGateAcidRain, and Industroyer2.