Skip to Content

CryWiper hits Russian courts and mayor offices in data-wiping attacks

Updated on 2022-12-05

Kaspersky identified a new data wiper, dubbed CryWiper, that was used for destructive attacks against Russia’s mayor’s offices and courts. The malware pretends to be a ransomware. Read more: New CryWiper wiper targets Russian entities masquerading as a ransomware

Updated on 2022-12-04: CryWiper Malware Seen on Russian Courts and Mayors’ Office Networks

Researchers at Kaspersky have detected malware they call CryWiper on networks of Russian courts and mayors’ offices. CryWiper pretends to be ransomware: “it modifies files, adds a .CRY extension to them (unique to CryWiper), and saves a README.txt file with a ransom note.” However, it actually permanently destroys data.


  • This is not a ransomware strain you can decrypt to recover from: you’re going to need those differential backups we’ve been discussing. Today, this malware is highly targeted, focusing on Russian mayor’s offices and courts, and we know that can change, so incorporate known IOCs into your threat hunting activities. This, like others, spreads through network weaknesses as well as email attachments, so make sure you’re monitoring your network, filtering URLs and attachments in email to the extent possible, as well as providing guidance to users on link and attachment handling.
  • Consider “read only” and “execute only” access control rules to reduce the potential risk of both ransomware and wipers.


Overview: CryWiper hits Russian courts and mayor offices in data-wiping attacks

Judicial courts and mayor officers across several Russian regions have been hit by a new data-wiping trojan, according to reports from Russian antivirus maker Kaspersky and local news outlet Izvestia.

Named CryWiper, the malware goes through the motions of a ransomware attack, where it scrambles files and leaves a ransom note demanding money. But Kaspersky researchers say they found evidence of data destruction routines, meaning that even if victims paid the attackers, they would not be able to recover their files.

Neither Kaspersky nor Russian government officials have formally attributed CryWiper to any specific group or entity, but the attacks over the past month are most likely connected to the Russian-Ukrainian conflict, which involved the deployment of multiple wipers, on both sides of the conflict.

Ukraine was hit the most, with wipers such as WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.

Russia wasn’t spared either, being hit in March by another wiper posing as run-of-the-mill ransomware, a wiper named RuRansom.

Text of CryWiper requirements

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.