Public organizations in Russia, including mayoral offices and courts, are the target of a brand new and quite cunning malware variant.
CryWiper masquerades as ransomware, trying to extort some money from victims (0.5 bitcoins, or about $9,000 at press time), but its goal is not to make money, but to destroy all files found on the infected endpoint.
Cybersecurity researchers from Kaspersky report “precision” cyberattacks in Russia, where infected files get a new extension – .cry (hence the name CryWiper). Although local media reported that the attackers targeted the mayor’s offices and the country’s courts, it is not known exactly how many entities they managed to compromise.
Russians aiming at Russians?
What we do know is that this malware shares characteristics with two other malware strains – Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. They all have the same email address that is mentioned in the ransom note. Xorist was first spotted in 2010 and is described as a Windows ransomware family targeting Russian and English-speaking users.
CryWiper was written in C++, which according to Ars Technicais an unusual choice and indicates that cybercriminals could use a non-Windows device to write the code.
The same publication also states that the malware is relatively similar to IsaacWiper, a wiping malware that recently targeted Ukrainian companies. Apparently both wipers use the same algorithm to generate pseudo-random numbers that overwrite the data in the files, thus corrupting them permanently.
The attackers allegedly use the Mersenne Vortex PRNG algorithm, which is another rare feature.
Wipers are among the most dangerous malware variants available, as their sole purpose is to permanently “erase” all data on the target endpoint. To defend against such attacks, users are advised to be careful when downloading email attachments and to ensure that their software and hardware are always up to date. Having state-of-the-art cybersecurity solutions (opens in a new tab) is also recommended.
By: Ars Technica (opens in a new tab)
