Russia Hit by New ‘CryWiper’ — Fake Ransomware
A new wiper malware is destroying data on Russian government PCs. Dubbed CryWiper, the dastardly Trojan is targeting only certain agencies.
To add insult to injury, CryWiper pretends to be ransomware. It instructs its victims to send half a bitcoin to the hackers, but the data’s already been overwritten—not encrypted.
Who’s responsible? The CIA? Ukraine? Or an inside job? In today’s SB Blogwatch, we play the odds.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Every Windows wallpaper.
Vlad Sobs
Что творится? Иван Черноусов is lost in translation—“Russian government attacked by a new encryption virus”:
“CryWiper destroys the contents of files”
Russian mayors’ offices and courts were attacked by a new ransomware—CryWiper. [It] encodes the data on the computer, then a message appears on the screen demanding to pay a ransom of $8,600. … The program does not restore files — they are deleted without the possibility of recovery. Analysis of the code showed this is not a developer’s mistake, but his original intention.
…
CryWiper destroys the contents of files of all formats, with the exception of those responsible for the operation of the system itself. … Experts call viruses of this kind “wipers” … programs that erase data when a device is infected.
And Dan Goodin adds—“Never-before-seen malware is nuking data in Russia”:
“Some resemblance to IsaacWiper”
Wiper malware has grown increasingly common. … In the past year, a flurry of new wipers appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.
…
CryWiper bears some resemblance to IsaacWiper, which targeted organizations in Ukraine. Both wipers use the same algorithm for generating pseudo-random numbers. … The algorithm is rarely used, so the commonality stuck out. [It also] shares a separate commonality with ransomware families known as Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent.
More details, please. Bill Toulas obliges—“New CryWiper data wiper”:
“Destruction”
CryWiper is a 64-bit Windows executable named ‘browserupdate.exe’ written in C++, configured to abuse many WinAPI function calls. Upon execution, it creates scheduled tasks to run every five minutes. … It contacts a command and control server [which] responds with either a “run” or “do not run” command, determining whether the wiper will activate or stay dormant.
…
CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction. … CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder … incident response.
Horse’s mouth? Федор Синицын and Янис Зинченко also get lost—“CryWiper pretends to be ransomware”:
“Trojan-Ransom.Win64.CryWiper”
Most cyberattacks are financially motivated, but in recent years there’s been an increase in the number of attacks whose goal is not to enrich, but to harm. [It] is a hoax: The data has been destroyed and cannot be returned.
…
IoC:
14808919a8c40ccada6fb056b7fd7373 – Trojan-Ransom.Win64.CryWiper.a
c:\windows\system32\browserupdate.exe – path to the Trojan sample on the system
hxxp://82.221.141.8/IYJHNkmy3XNZ – C&C server.
Who’s the culprit? Peter Kilpe prevaricates a bit—“Ukraine at D+284”:
No one is offering attribution, but the selection of targets would seem circumstantially to point to Ukrainian cyber operations.
Alternatively, it’s coming from inside the house. Here’s u/atttrae:
[Or the] resistance movement inside Russia. The same … ones fire bombing police stations, recruitment offices and other governmental buildings. … This is way more likely [to be] coming from within Russia itself, to hinder conscription and punishment of those who refuse to die in the idiotic war.
There’s certainly plenty of home grown talent. As Miles_O’Toole notes:
I couldn’t help but wonder if some family members of Russia’s flourishing, state-supported malware community came home in body bags,—which would probably engender some animus against the government that sent them off to be slaughtered in an ill-considered military adventure. Or perhaps a malware community member was one of those young Russian men recently called up to serve as cannon fodder in Putin’s catastrophic invasion of Ukraine. It would be a lot harder to track down conscripts with government records deleted or in disarray.
Or a third party? EvelinaBerg :
I’m sure this is what the US loves to do: Meddle in a war between Russia and Ukraine through cyber attacks.
Meanwhile, Pescallunes snarks it up:
It’s not malware, it’s a special software operation.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: DonkeyHotey (cc:by; leveled and cropped)
