CryWiper Malware

Threat actors are using a brand new malware tool in targeted attacks against mayor's offices and courts in Russia. The malicious threat is being tracked as CryWiper by the researchers at Kaspersky. Additional details about the attack campaigns have been revealed by the news service Izvestia.

According to the available information, CryWiper poses as a ransomware threat deployed as part of a financially motivated attack. The threat will impact the data found on the breached computer systems and leave it in an unusable state. The locked files will have '.cry' attached to their original names. Izvestia reports that victims are provided with a ransom note demanding the payment of 0.5 BTC (Bitcoin). At the current exchange rate of the cryptocurrency the ransom is worth more than $8500. The funds are expected to be transferred to the provided cryptowallet address.

Data Recovery Is Not Possible

In reality, however, victims of CryWiper will not be able to restore their data, even if they meet the demands of the attackers. The reason is that CryWiper destroys the data of the files it affects. This functionality doesn't appear to be a result of faulty programming and is instead an intended consequence of CryWiper's execution. The experts have discovered that the algorithm used for the destruction of the victims' data is Mersenne Vortex PRNG. This is a rarely used choice found in few malware threats, with one such example being IsaacWiper. CryWiper could also be connected to the Xorist and MSIL Agent ransomware threats, as all three use the same email addresses for contact. 

Additional Details

CryWiper is spread as a 64-bit executable targeting Windows systems. The threat was created using the C++ programming language and complied with the MinGW-w64 toolkit and the GCC compiler. Cybersecurity experts point out that not using the more typical Microsoft Visual Studio is an unusual choice and could signal that the hackers responsible for the threat were using non-Windows devices. 

Recovering data affected by wipers such as CryWiper could be difficult. That is why it is strongly recommended to create regular backups and to keep all installed software tools and cybersecurity solutions up-to-date.