Never-before-seen malware destroys data in Russian courts and mayoral offices
Never-before-seen malware destroys data in Russian courts and mayoral offices
Expand
Mayors' offices and courts in Russia are under attack from never-before-seen malware that masquerades as ransomware, but is actually a windshield wiper that permanently destroys data on an infected system , according to security firm Kaspersky and the Izvestia news service.
Kaspersky researchers named the wiper CryWiper, a nod to the .cry extension that is appended to destroyed files. Kaspersky says its team has seen the malware launch “point attacks” on targets in Russia. The Izvestia, meanwhile, said the targets were Russian town halls and courts. Additional details, including the number of organizations affected and whether the malware succeeded in erasing the data, were not immediately known.
Wiper malware has become increasingly common over the past decade. In 2012, a windshield wiper known as Shamoon wreaked havoc on Saudi Aramco in Saudi Arabia and RasGas in Qatar. Four years later, a new variant of Shamoon returned and hit several organizations in Saudi Arabia. In 2017, self-replicating malware called NotPetya spread across the world within hours and caused damage estimated at $10 billion. Over the past year, a slew of new windshield wipers have appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.
Kaspersky said it discovered CryWiper attack attempts over the past few months. After infecting a target, the malware left a note demanding, according to Izvestia, 0.5 bitcoin and including a wallet address where payment could be made.
Enlarge
Kaspersky
"After examining a sample of malware, we discovered that this Trojan, although it poses as ransomware and extorts money from the victim to 'decrypt' the data, does not actually encrypt, but deliberately destroys the data in the affected system," the Kaspersky report states. "Furthermore, an analysis of the Trojan program code showed that it was not a mistake of the developer, but of its original intention."
CryWiper is a bit like IsaacWiper, which targeted organizations in Ukraine. Both wipers use the same algorithm to generate pseudo-random numbers that corrupt the targeted files by overwriting the data they contain. The name of the algorithm is Mersenne Vortex PRNG. The algorithm is rarely used, so the commonality stands out.
Enlarge
Kaspersky
CryWiper shares a distinct commonality with ransomware families called Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. Specifically, the email address in the ransom note of all three is the same.
The CryWiper sample analyzed by Kaspersky is a 64-bit executable file for Windows. It was written in C++ and compiled using the MinGW-w64...
Mayors' offices and courts in Russia are under attack from never-before-seen malware that masquerades as ransomware, but is actually a windshield wiper that permanently destroys data on an infected system , according to security firm Kaspersky and the Izvestia news service.
Kaspersky researchers named the wiper CryWiper, a nod to the .cry extension that is appended to destroyed files. Kaspersky says its team has seen the malware launch “point attacks” on targets in Russia. The Izvestia, meanwhile, said the targets were Russian town halls and courts. Additional details, including the number of organizations affected and whether the malware succeeded in erasing the data, were not immediately known.
Wiper malware has become increasingly common over the past decade. In 2012, a windshield wiper known as Shamoon wreaked havoc on Saudi Aramco in Saudi Arabia and RasGas in Qatar. Four years later, a new variant of Shamoon returned and hit several organizations in Saudi Arabia. In 2017, self-replicating malware called NotPetya spread across the world within hours and caused damage estimated at $10 billion. Over the past year, a slew of new windshield wipers have appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.
Kaspersky said it discovered CryWiper attack attempts over the past few months. After infecting a target, the malware left a note demanding, according to Izvestia, 0.5 bitcoin and including a wallet address where payment could be made.
Enlarge
Kaspersky
"After examining a sample of malware, we discovered that this Trojan, although it poses as ransomware and extorts money from the victim to 'decrypt' the data, does not actually encrypt, but deliberately destroys the data in the affected system," the Kaspersky report states. "Furthermore, an analysis of the Trojan program code showed that it was not a mistake of the developer, but of its original intention."
CryWiper is a bit like IsaacWiper, which targeted organizations in Ukraine. Both wipers use the same algorithm to generate pseudo-random numbers that corrupt the targeted files by overwriting the data they contain. The name of the algorithm is Mersenne Vortex PRNG. The algorithm is rarely used, so the commonality stands out.
Enlarge
Kaspersky
CryWiper shares a distinct commonality with ransomware families called Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. Specifically, the email address in the ransom note of all three is the same.
The CryWiper sample analyzed by Kaspersky is a 64-bit executable file for Windows. It was written in C++ and compiled using the MinGW-w64...
Expand
Enlarge
Kaspersky
Enlarge
Kaspersky
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
