CryWiper: Fake ransomware destroys data, especially in Russia
Kaspersky warns of malware that appears to behave like ransomware but directly destroys data rather than encrypting it. Virus analysts detected the malware on systems in Russia.
Is this ransomware?
Virus analysts describe that when a computer is infected, malware modifies files, adding a .CRY file extension to them and storing a README.txt file with a ransom message on the computer. The message includes a bitcoin wallet address, contact email, and infection ID. However, the malware turns out to be a wiper, that is, a data-destroying pest. The authors explain that files that are supposedly encrypted can never be restored to their original state. So if you find a ransom note and files with .CRY extension, paying the ransom is pointless.
During the analysis, virus specialists came to the conclusion that it was not a matter of glitches or accidental destruction of data due to poorly programmed encryption algorithms, as has sometimes been observed in the past. Instead, analysts assume intentional data destruction. The data is not encrypted, but the Trojan replaces it with pseudo-random data.
In doing so, CryWiper destroys all data that is not necessary for the operation of the operating system. Malware deletes files with extensions .exe, .dll, .lnk, .sys or .msi as well as various subfolders of C:\Windows. Focuses on databases, archives, and user documentation.
So far only destinations in Russia
To date, Kaspersky has only detected attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same malicious code will not be used against other targets.
Apart from overwriting the contents of the file with garbage, CryWiper has other features. The malware creates a task that restarts every five minutes. It also sends the name of the infected computer to the command and control servers and waits for the command to launch the attack. CryWiper terminates processes belonging to MySQL, MS SQL, Exchange as well as MS Active Directory Web Services, otherwise their files will be blocked and thus protected from tampering.
Malware also deletes backups, but only on C drive: – Here may be a small glimmer of hope for affected administrators that there are still database backups stored on D: drive which is often used in practice for Exchange and SQL servers . It also turns off RDP services. Kaspersky suspects that this would make the work of any incident response team more difficult.
In the Kaspersky blog entry, the authors also provide information about preventive measures. IT managers should take a comprehensive look at the long distance communications in their infrastructure. Access from public networks should be prevented, RDP access should be protected through a VPN tunnel, for example, and strong passwords should be used along with two-factor authentication. Critical software should receive timely updates – with a special focus on the operating system, security software, VPN clients, and remote access tools. Finally, employee training is also on the list to raise awareness on the subject of IT security.
Ransomware has been slowly changing for some time. In doing so, cybercriminals are moving away from pure local (fault-prone) encryption with ransomware, to smuggling and selling sensitive data captured during intrusions, to destroying local data after copying.
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.