Russian mayors are being targeted by threat actors with CryWiper, a ransomware-like malware. It’s actually a wiper that will permanently wipe all data from infected systems.
It reminds of report, in which “destructive malware” was used to infect Ukrainian government agencies and non-profit organisations.
Campaign Analysis
Kaspersky Cybersecurity and Izvestia News Service’s researchers revealed shocking details about a new attack involving a trojan. This trojan has ransomware-like capabilities, such as the ability to modify files and add.CRY extensions to them. It also saves a README.txt and leaves a ransom note.
It contains the note’s bitcoin address and infection ID as well as the email ID of malware authors. These are misleading measures used by attackers since CryWiper doesn’t runsomware, but is a wiper, and researchers have given it the name CryWiper.
Researchers claim that the files it modifies can’t be restored back to their original/previous state. It is therefore futile .
Pinpoint Targets
Kaspersky’s report noted that CryWiper launched ‘pinpoint strikes’ against targets in Russian Federation. Izvestia, however, noted that these attacks were directed at Russian mayors and their offices.
According to reports, the wiper can corrupt any data not essential for operating system’s functioning. It doesn’t alter files with extensions such as.dll or.exe. Kaspersky found the attacks within the last few months.
It also avoids any potential damage to system folders located in the C:Windows directories. It targets user documents, archives and databases.
CryWiper leaves a ransom note for its customers
Izvestia discovered that CryWiper infected a system with a successful attack. It left behind a note asking for 0.5 Bitcoin and a wallet address so funds could be transferred. Kaspersky researchers revealed that it does not encrypt data, but it does so by extorting money. The researchers also observed that the original intent of the developer was not to make this mistake.
What is the process?
CryWiper is similar to IsaacWiper. It uses the same algorithmes to generate pseudorandom numbers that can directly corrupt targeted files or overwrite data. The wiper rewrites file content directly, replacing it with garbage.
Next, it creates an task in Task Scheduler that will restart the wiper once every five minutes. CryWiper also has the ability to send the target device’s name and wait for the command to begin the attack.
CryWiper also stops processes for MS SQL database and MySQL servers as well as MS Active Directory web service and MS Exchange mail server. Shadow copies of documents stored on C: drive are deleted to stop their restoration. The infected system is also disconnected from RDP remote access protocol. This may complicate the work of emergency response teams.
Protection against ransomware, Wipers
Protecting yourself and your company from ransomware, data wipers, or other malware is as simple as backing up your data regularly. If data is lost or damaged, you can restore it.
Kaspersky suggests that you carefully control remote access to your infrastructure, including public networks. Active malware protection will also be recommended. This software can detect malicious programs and prevent them from causing damage.
You should also set strong passwords on all sensitive accounts and monitor them for unusual activity.