Kaspersky experts have discovered a new ransomware: CryWiper. It initially acts like encryption software. But the data is not encrypted, but overwritten with random data. Paying the ransom is useless.
Kaspersky experts have discovered an attack by a new Trojan, which they have dubbed CryWiper. At first glance, this malware looks like ransomware: it modifies files, adds a .CRY extension (unique to CryWiper) to them, and saves a README.txt file with a ransom note containing the Bitcoin wallet address, the contact e-mail address of the malware creators and the infection ID.
CryWiper: Overwrite instead of encryption
In fact, however, this malware is a wiper: a file modified by CryWiper can never be restored to its original state. So, anyone who sees a ransom note and the files have a new .CRY extension, don't rush to pay the ransom - it's pointless.
In the past, there have been some malware strains that accidentally became wipers - due to mistakes made by their creators who implemented encryption algorithms poorly. However, this time it is not the case: Kaspersky experts are confident that the main goal of the attackers is not financial gain, but data destruction. The files are not actually encrypted; Instead, the Trojan overwrites them with pseudo-randomly generated data.
What CryWiper is really hunting for
The Trojan corrupts all data that is not vital for the functioning of the operating system. It does not affect files with .exe, .dll, .lnk, .sys, or .msi extensions and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives and user documents.
How the CryWiper Trojan works
In addition to directly overwriting the contents of files with garbage, CryWiper also does the following:
- create a task with the task scheduler that restarts the wiper every five minutes;
- sends the infected computer's name to the C&C server and waits for a command to launch an attack;
- stops processes related to: MySQL and MS SQL database servers, MS Exchange mail servers and MS Active Directory web services (otherwise access to some files would be blocked and it would be impossible to damage them);
- deletes shadow copies of files so they cannot be recovered (but only on C: drive for some reason);
- disables the connection to the affected system via the RDP remote access protocol.
The purpose of the latter is not entirely clear. Perhaps, by disabling it like this, the malware authors tried to complicate the work of the incident response team, who would clearly prefer remote access to the affected machine—they would need to be given physical access to it instead.
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/