CryWiper hits Russian courts and mayor offices in data-wiping attacks

Updated on 2022-12-05

Kaspersky identified a new data wiper, dubbed CryWiper, that was used for destructive attacks against Russia’s mayor’s offices and courts. The malware pretends to be a ransomware. Read more: New CryWiper wiper targets Russian entities masquerading as a ransomware

Updated on 2022-12-04: CryWiper Malware Seen on Russian Courts and Mayors’ Office Networks

Researchers at Kaspersky have detected malware they call CryWiper on networks of Russian courts and mayors’ offices. CryWiper pretends to be ransomware: “it modifies files, adds a .CRY extension to them (unique to CryWiper), and saves a README.txt file with a ransom note.” However, it actually permanently destroys data.

Note

• This is not a ransomware strain you can decrypt to recover from: you’re going to need those differential backups we’ve been discussing. Today, this malware is highly targeted, focusing on Russian mayor’s offices and courts, and we know that can change, so incorporate known IOCs into your threat hunting activities. This, like others, spreads through network weaknesses as well as email attachments, so make sure you’re monitoring your network, filtering URLs and attachments in email to the extent possible, as well as providing guidance to users on link and attachment handling.
• Consider “read only” and “execute only” access control rules to reduce the potential risk of both ransomware and wipers.

Read more in

• CryWiper: fake ransomware
• Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices
• Fresh CryWiper Wiper Malware Aims to Destroy Russian Data
• New CryWiper data wiper targets Russian courts, mayor’s offices
• Russian Courts Targeted by New CryWiper Data Wiper Malware Posing as Ransomware

Overview: CryWiper hits Russian courts and mayor offices in data-wiping attacks

Judicial courts and mayor officers across several Russian regions have been hit by a new data-wiping trojan, according to reports from Russian antivirus maker Kaspersky and local news outlet Izvestia.

Named CryWiper, the malware goes through the motions of a ransomware attack, where it scrambles files and leaves a ransom note demanding money. But Kaspersky researchers say they found evidence of data destruction routines, meaning that even if victims paid the attackers, they would not be able to recover their files.

Neither Kaspersky nor Russian government officials have formally attributed CryWiper to any specific group or entity, but the attacks over the past month are most likely connected to the Russian-Ukrainian conflict, which involved the deployment of multiple wipers, on both sides of the conflict.

Ukraine was hit the most, with wipers such as WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.

Russia wasn’t spared either, being hit in March by another wiper posing as run-of-the-mill ransomware, a wiper named RuRansom.