Mayor’s offices and courts in Russia are being attacked by unprecedented malware that masquerades as ransomware, but is in fact a wiper that permanently destroys data on an infected system, according to security firm Kaspersky and the news service Izvestia.
Kaspersky researchers have named the wiper CryWiper, a nod to the .cry extension that is added to destroyed files. Kaspersky says its team has seen the malware launch “local attacks” against targets in Russia. Izvestia, meanwhile, reported that the targets are the offices and courts of Russian mayors. Additional details, including how many organizations were affected and whether the malware successfully erased data, were not immediately known.
Wiper malware has become increasingly common over the last decade. In 2012, a windshield wiper known as Shamoon wreaked havoc in Saudi Arabia’s Saudi Aramco and Qatar’s RasGas. Four years later, a new variant of Shamoon returned and affected multiple organizations in Saudi Arabia. In 2017, self-replicating malware called NotPetya spread around the world within hours, causing an estimated $10 billion in damage. A wave of new windshield wipers appeared in the past year. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.
Kaspersky said it had discovered CryWiper’s attack attempts in recent months. After infecting a target, the malware left a note demanding 0.5 bitcoin, according to Izvestia, and providing a wallet address to which payment could be made.
“After examining a sample of malware, we found out that although this trojan pretends to be ransomware and extorts money from the victim to ‘decrypt’ data, it does not actually encrypt, but purposefully destroys data in the affected system said Kaspersky’s report. mention. “In addition, an analysis of the Trojan’s code showed that this was not a developer’s error, but rather its original intent.”
CryWiper bears some resemblance to IsaacWiper, which targeted organizations in Ukraine. Both wipers use the same algorithm for generating pseudo-random numbers that damage targeted files by overwriting the data in them. The name of the algorithm is the Mersenne Vortex PRNG. The algorithm is rarely used, so the commonality was noticeable.
CryWiper shares a separate similarity with ransomware families known as Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. Notably, the email address in the ransom note of all three is the same.
The CryWiper sample analyzed by Kaspersky is a 64-bit Windows executable. It is written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. This is an unusual choice, as malware written in C++ is more likely to use Microsoft’s Visual Studio. One possible reason for this choice is that it allows developers to port their code to Linux. Given the number of specific calls CryWiper makes to Windows programming interfaces, this reason seems unlikely. The most likely reason is that the developer who wrote the code was using a non-Windows device.
Successful wiper attacks often exploit poor network security. Kaspersky advised network engineers to take precautions by using:
- Security solutions for file behavior analysis for endpoint security.
- Managed detection and response and security operations center that enables timely detection of an intrusion and takes action to respond.
- Dynamic analysis of email attachments and blocking of malicious files and URLs. This makes email attacks, one of the most common vectors, more difficult.
- Conducting penetration tests and RedTeam projects on a regular basis. This helps identify and protect vulnerabilities in the organization’s infrastructure, thereby significantly reducing the attack surface for intruders.
- Threat data monitoring. To detect and block malicious activities in a timely manner, it is necessary to have up-to-date information about intruders’ tactics, tools and infrastructure.
Given the Russian invasion of Ukraine and other geopolitical conflicts raging around the world, the rate of wiper malware is unlikely to slow down in the coming months.
“In many cases, wiper and ransomware incidents are caused by insufficient network security, and it is the strengthening of protection that should be addressed,” said Friday’s Kaspersky report. “We assume that the number of cyber-attacks, including those involving the use of windshield wipers, will increase, largely due to the volatile situation in the world.”