A new data wiper malware named CryWiper has been discovered targeting Russian government institutions such as mayors’ offices and courts. “Although it disguises itself as ransomware and extorts money from the victim for ‘decrypting’ data, [it] does not actually encrypt, but purposefully destroys data in the affected system,” stated Fedor Sinitsyn and Janis Zinchenko, Kaspersky researchers. According to Russian news outlet Izvestia, there is currently no evidence linking the attacks to a specific adversarial group. CryWiper is malware built on the C++ programming language. It is configured to establish persistence through a scheduled task and connect to a Command and Control (C2) server to launch malicious attacks. The malware terminates database and email server-related processes, deletes shadow copies of files, and alters the Windows Registry to block RDP connections, perhaps to prevent incident response attempts. The wiper corrupts all files except files with specific extensions and those found in certain directories. An extension “.CRY” is appended to the data-overwritten files. Also, a ransom message gives the impression that it is ransomware, advising the victim to pay 0.5 Bitcoin for access recovery.
According to researchers, ransom payment does not guarantee file recovery. CryWiper is the second retaliatory malware strain that targeted Russian companies after RURansom, a.NET-based wiper discovered in March. Numerous wipers have been launched in the current conflict between Russia and Ukraine, including WhisperGate, AcidRain, HermeticWiper, IsaacWiper, DoubleZero, Industroyer2, and CaddyWiper. “Wipers can be effective regardless of the technical skills of the attacker, as even the simplest wiper can wreak havoc on affected systems,” stated Max Kersten, a Trellix researcher.