A new wiper trojan, disguised as a ransomware payload, has been discovered in the wild by researchers, raising questions about the reason for its existence and the identity of its operators.
CryWiper, named for the distinctive ‘.cry’ extension which it appends onto files, appears on first impression to be a new ransomware strain. Victims’ devices are seemingly encrypted and a ransom note is left demanding money be sent to a bitcoin wallet address. However, the files are actually corrupted beyond recovery.
RELATED RESOURCE
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
Kaspersky researchers laid out findings that prove the malware is actually a wiper that corrupts all but the most critical system files, overwriting each with data produced through a pseudo-random number generator.
Once on a victim’s system, CryWiper sends the name of the victim’s device to a command and control (C2) server, waiting for an activation command to launch an attack.
This follows a similar methodology to ransomware, with functions performed including the deletion of volume shadow copy to prevent files from being restored and scheduling itself in Windows Task Scheduler to ensure that it restarts every five minutes.
CryWiper also ceases MS SQL, MySQL, MS Active Directory, and MS Exchange services, so that files associated with them are not prevented from being corrupted.
Researchers noted that it disables connection to infected devices through remote desktop protocol (RDP) too, and posited that this is to frustrate the efforts of security teams responding to the incident.
This marks a divergence from typical ransomware behaviour, as payloads generally maintain RDP access in order to facilitate lateral attacks across networks.
A wiper is a malware strain designed to destroy systems indiscriminately, or otherwise cause chaos and destruction on a victim’s device. Wipers have been widely used in Russia’s cyber war against Ukraine, and form part of a malware arsenal that has formed the backbone of the growing threat against critical national infrastructure (CNI).
An email address provided in the ransom text file has been in use since 2017, linking it to several former ransomware families. No conclusive identification has yet been made linking any of the groups.
In a Russian-language blog post unpacking the technical details of the malware, Kaspersky researchers drew further similarities between CryWiper and another wiper observed attacking public infrastructure in Ukraine earlier this year, known as IsaacWiper.
Both wipers use the same pseudo-random generator, ‘Mersenne Vortex’, and are the only two to do so due to the relative complexity of the algorithm compared to other options.
“It’s not common practice, however, deploying destructive payloads that contain ransom notes, with no intention to receive a ransom has been seen before,” said Andy Norton, European cyber risk officer at Armis.
“NotPetya is an example of a previous wiper attack. Plausible deniability is one reason to add false flags to malware payloads, another tactic is to invent fictitious threat actor groups, such as the 'Cutting Sword of Justice' again with the reason to deflect attribution of the attack.”
At the time of writing, Kaspersky has only observed targeted CryWiper attacks within the Russian Federation. Given the unknown nature of the group behind CryWiper, as well as the strategic intent of the trojan at this stage, businesses should remain alert to the telltale signs of the payload.
To avoid compromise, Kaspersky recommends close oversight of remote network connections, the use of VPN tunnels for RDP access, as well as strong rather than common passwords, and two-factor authentication (2FA) where possible.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
