Public organizations in Russia, including municipalities and courts, are being targeted by a completely new and rather sneaky variant of malware.
CryWiper poses as ransomware and tries to extort some money from victims (0,5 bitcoins, or about $9000 at press time), but his goal is not to get paid, but to destroy all files found. on the infected terminal.
Kaspersky cybersecurity researchers report “unique” cyberattacks in Russia, in which infected files are given a new extension: .cry (hence the name CryWiper). While local media said the attackers targeted the country's mayor's offices and courts, it is unclear exactly how many entities they managed to compromise.
Russians targeting Russians?
What we do know is that the malware shares common traits with two other malware strains: Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. They all have the same email address listed in the ransom note. Xorist was first spotted in 2010 and is described as a family of Windows ransomware targeting Russian and English-speaking users.
CryWiper was written in C++, which Ars Technica says is an unusual choice and indicates the possibility of hackers using a non-Windows device to write the code.
The same post also claims that the malware is relatively similar to IsaacWiper, a cleanup malware that recently targeted Ukraine-based companies. Apparently, both wipers use the same algorithm to generate pseudorandom numbers that overwrite the data in the files, permanently corrupting them.
The attackers would use the Mersenne Vortex PRNG algorithm, which is another uncommon feature.
Wipers are among the most dangerous malware variants, as their sole purpose is to “wipe” all data on the target device permanently. To defend against such attacks, users are advised to be careful when downloading attachments and to ensure that their software and hardware are always up to date. It is also advisable to have state-of-the-art cybersecurity solutions (opens in a new tab).
Via: Ars Technica (Opens in a new tab)