CryWiper: fake ransomware

New CryWiper malware irreversibly corrupts files posing as ransomware.

CryWiper disguised as ransomware

Our experts have discovered an attack of a new Trojan, which they’ve dubbed CryWiper. At the first glance, this malware looks like ransomware: it modifies files, adds a .CRY extension to them (unique to CryWiper), and saves a README.txt file with a ransom note, which contains the bitcoin wallet address, the contact e-mail address of the malware creators, and the infection ID. However, in fact, this malware is a wiper: a file modified by CryWiper cannot be restored to its original state — ever. So if you see a ransom note and your files have a new .CRY extension, don’t hurry to pay the ransom: it’s pointless.

In the past, we’ve seen some malware strains that became wipers by accident — due to mistakes of their creators who poorly implemented encryption algorithms. However, this time it’s not the case: our experts are confident that the main goal of the attackers is not financial gain, but destroying data. The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data.

What CryWiper is hunting for

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

How the CryWiper Trojan works

In addition to directly overwriting the contents of files with garbage, CryWiper also does the following:

  • creates a task that restarts the wiper every five minutes using the Task Scheduler;
  • sends the name of the infected computer to the C&C server and waits for a command to start an attack;
  • halts processes related to: MySQL and MS SQL database servers, MS Exchange mail servers and MS Active Directory web services (otherwise access to some files would be blocked and it would be impossible to corrupt them);
  • deletes shadow copies of files so that they cannot be restored (but for some reason only on the C: drive);
  • disables connection to the affected system via RDP remote access protocol.

The purpose of the latter isn’t entirely clear. Perhaps with such disabling the malware authors tried to complicate the work of the incident response team, which would clearly prefer to have remote access to the affected machine — they’d have to get physical access to it instead. You can find technical details of the attack along with indicators of compromise in a post on Securelist (in Russian only).

How to stay safe

To protect your company’s computers from both ransomware and wipers, our experts recommend the following measures:

  • carefully control remote access connections to your infrastructure: prohibit connections from public networks, allow RDP access only through a VPN tunnel, and use unique strong passwords and two-factor authentication;
  • update critical software in a timely manner, paying special attention to the operating system, security solutions, VPN clients, and remote access tools;
  • raise security awareness of your employees, for example, using specialized online tools;
  • employ advanced security solutions to protect both work devices and the perimeter of the corporate network.