According to Kaspersky Lab , Russian organizations are suffering from CryWiper malware attacks. It poses as ransomware and demands a ransom, but in fact it does not encrypt, but destroys the files of the victims.
Researchers report that after infecting devices, CryWiper corrupts victims’ files and displays a ransom message. In the note, the attackers left an email address and a bitcoin wallet, demanding more than 500,000 rubles (0.5 BTC) for decrypting the data.
In fact, the files are corrupted beyond recovery. At the same time, an analysis of the malware code showed that this was not a developer’s mistake, but a deliberate destruction of data.
Experts note that the email address that the attackers leave for communication has previously appeared in other attacks. So, these contact details were previously associated with the Xorist ransomware. This may mean that either the malware distributor previously used ransomware and switched to wipers in the new attack, or the attackers are using third-party data to mislead researchers. Also, to further complicate the work of information security specialists, CryWiper prohibits access to the attacked device via RDP.
It is reported that the wiper destroys the contents of files of all formats, with the exception of those that are responsible for the operation of the system itself. Under the gun – databases, archives, documents. At the same time, the malware does not make a decision to destroy files autonomously: it sends a request to the control server and only after receiving permission from it begins its destructive activity. Files with corrupted content receive an additional .CRY extension.
According to Izvestia , CryWiper attacks affected mayor’s offices and courts in the regions of Russia. Igor Bederov, head of the information and analytical research department at T.Hunter, believes that attacks of this kind against Russian authorities may be related to the geopolitical situation.
“The CryWiper attack once again shows that paying a ransom does not guarantee file recovery. While we are fixing pinpoint incidents, the malware may continue to attack organizations more actively. To counter such threats, it is important for companies to use comprehensive protection of the corporate network perimeter and train employees in basic cyber hygiene rules, since attacks often begin with phishing or other social engineering techniques,” comments Fedor Sinitsyn, cybersecurity expert at Kaspersky Lab.