A data-wiping program masquerading as ransomware attacked a network of Russian government organizations. The malicious program was first discovered in autumn of 2022 by Kaspersky, a Russian multinational cybersecurity and anti-malware firm who named the program “CryWiper.” A local Russian media report divulged that CryWiper targeted several courts and mayors’ offices. The exact number of offices hit by CryWiper is not public knowledge.
CryWiper – Data-wiping In Disguise
According to a report by Kaspersky, their solutions “detected attempts by a previously unknown Trojan… to attack an organization’s network in the Russian Federation.” Despite the program prompt informing targets data would be restored after paying a fee, no files can be recovered. Deep code analysis shows the program was intentionally programmed to corrupt files beyond repair from the start.
Written in C++ and designed to abuse WinAPI function cells, CryWiper is a 64-bit executable named ‘browserupdate.exe.’ Once executed, the program schedules tasks to run every five minutes. However, Kaspersky’s analysis found that the program delayed execution for four days, an effort likely aimed at confusing targets about the root of the infection.
The program corrupts all files except for “.exe”, “.dll”, “lnk”, “.sys”, “.msi”, and its own “.CRY” file types. It then deletes shadow copies to prevent restoration, making deleted data impossible to recover. It also modifies the Windows Registry to prevent incident response or intervention by remote IT professionals.
The wiper then corrupts. It also spares Windows Systems files and Boot directories. This is thought to be an effort to prevent the wiper from completely devastating the computer, rendering it unusable — a considerate afterthought.
After wiping all data on the PC, the malware generates a ransom note entitled ‘README.txt,’ which prompts targets to pay 0.5 Bitcoin (approximately US$8000 at the time of writing) for a decryption code to recover lost data. However, after paying the ransom within the 24-hour deadline, the data isn’t restored. Later analysis found it was intentionally corrupted beyond the possibility of recovery.
“It masquerades as ransomware and extorts money from the victim for ‘decrypting’ data, does not actually encrypt, but purposefully destroys data in the affected system.” – Kaspersky report
The file-corrupting algorithm was based on “Mersenne Twister,” a pseudorandom number generator. This was the same algorithm used for “IsaacWiper”, a malware program used to target Ukraine’s governmental network earlier this year. Despite the similarities, researchers found no other connection between the two wipers.
The attack model prevents the creators of CryWiper from making much money. Considering it targeted government networks, its creators were likely aware word would quickly spread about it not restoring data upon payment.
This leaves reason to believe the wiper wasn’t created for financial gain, but rather for disrupting specific Russian government operations. As such, it’s clear the primary intention was to wipe data from target organizations and cause serious operational disruptions
The Rise of Wiper Malware
Wiper malware is extremely effective at disrupting operations and is often used as a political weapon to destabilize opponents. CryWiper also resembles RuRansom, another wiper program employed to attack Russia soon after its invasion of Ukraine.
Data-wiping malware rose sharply in 2022, a trend thought to result from global unrest and the Russia-Ukraine conflict. This worrying trend also coincides with a disturbing escalation in devastating malware overall, concerning government organizations worldwide.
Regarding the rise of wiper malware globally, Kaspersky states “the number of cyberattacks, including those using wipers, will grow, largely due to the unstable situation in the world.”
To prevent falling victim to wipers, Kaspersky offers several cybersecurity suggestions for organizations to mitigate risk:
- Using endpoint protection with behavioral file analysis
- Implementing a timely detection and incident response plan for intrusions
- Conducting regular penetration testing to identify vulnerability pre-attack
- Using threat data monitoring to detect and block malicious activity
- Staying informed about up-to-date advancements in cybercrime tactics and infrastructures
Staying Protected Day-To-Day
As global hostility continues to grow, governments embroiled in conflict are likely to face attacks similar to the CryWiper campaign on Russia’s governmental network. While it’s unlikely that citizens will be targeted heavily with data-wiping malware, ransomware is a constant threat. To prevent cybersecurity disasters and secure your digital integrity, it’s paramount to practice good cyber hygiene.
CyberGhost VPN uses robust encryption to secure your internet connection and allows you to swap your device IP address for a new one. With thousands of servers worldwide, you can connect any time to enjoy safer internet browsing. Install CyberGhost today as part of your cyber hygiene strategy.