A previously unknown data malware called CryWiper has been utilized during a spate of cyber attacks against Russian government agencies, courts, and mayoral offices. The attacks have affected organizations in several regions of the country.
What is CryWiper Malware?
The new malware enacts a data wipe on the affected system while posing as a ransomware attack that exports money from organizations. But instead of encrypting information on the system, the malware destroys all data, making it impossible to recover. Organizations and offices that have fallen victim to CryWiper malware attacks will see that the data on their operating system and files has been encoded. A message then appears on the screen of affected devices demanding a ransom for the decryption of the affected files. The ransom message details an email address and the address of a bitcoin wallet. The threat actors instruct victims to transfer over 500 thousand rubles to regain data control.
However, even when the money is transferred to the attackers, the encoded files are completely deleted from the system. This is thought to be an intentional act on the part of programmers and not a mistake in the coding of ransomware. The only files which remain on the system after the attack are the CryWiper files themselves! The attacks are yet to be connected to any particular cybercrime group or ransomware gang. But further details are being reported in Russian-language news sources such as Izvestia.
How Does the New Malware Work?
CryWiper malware will affect the data on databases, digital archives, and saved user documents, encrypting them on the affected device. Crucially, the malware does not destroy the affected files autonomously, rather it will send a request to a command server and only begin the destruction process after receiving permission.
At this point, the cor.rupted data then receives a CRY extension which encrypts the information and ensures it cannot be opened through standard methods. Although it is not completely impossible to recover the data after this attack, it is particularly difficult and time-consuming as the files have been overwritten rather than encoded. This means specialists can only rely on backup data to regain the information.
Wiper Malware Attacks Are Becoming More Common
Over the past decade, wiper malware attacks, which delete rather than encode files, have become increasingly popular amongst cybercriminals. in 2022, a spate of brand new wiper programs has been identified, including WhisperGate, Double Zero, RuRansom, and IsaacWiper. All of this malware has been created to pose as ransomware to blackmail organizations and then deleted the affected software after the money has been received.
In 2017, NotPetya (a self-replicating wiper malware named due to its resemblance to the ransomware Petya) caused an estimated USD 10 billion worth of attacks after it quickly spread across the globe. Organizations in France, the UK, the US, Russia, Italy, Australia, and Germany were affected and lost a monumental amount of data.
