Judicial courts and mayor offices across several Russian regions have been hit by a new data-wiping trojan. Antivirus maker Kaspersky says it’s a piece of malware that pretends to ask for a ransom.
The malware, named CryWiper, appears at first glance to be a tool created to scramble files and then leave a ransom note demanding money.
However, Kaspersky researchers now say they found evidence of data destruction. It means that even if victims paid the attackers, they would not be able to recover their files, which are permanently deleted. These kinds of cyberweapons are called wipers for precisely this reason.
Fedor Sinitsyn, a cybersecurity researcher at Kaspersky, a controversial Russian-owned company, said that CryWiper corrupted files in the targeted devices and then indeed displayed messages demanding a ransom for decryption – 0.5 Bitcoin (nearly $17 thousand).
But Sinitsyn found that the program does not restore files after victims pay: they are actually deleted without the possibility of recovery. What’s more, code analysis allegedly shows this is no mistake – attackers seek both to gain financially and to destroy targets.
“CryWiper positions itself as a ransomware program, that is, it claims that the victim's files are encrypted and, if a ransom is paid, they can be restored. However, this is a hoax: in fact, the data has been destroyed and cannot be returned. The activity of CryWiper once again shows that the payment of the ransom does not guarantee the recovery of files,” Kaspersky says.
CryWiper stores ransom demands in the README.txt file and did just that in this case. It provides the Bitcoin wallet address for paying the ransom, the email address for contacting the attackers, and the infection ID.
Neither Kaspersky nor Russian government officials have attributed CryWiper to any specific group or entity. However, imitated ransomware attacks by multiple wipers of this kind have been connected to Russia’s war in Ukraine.
Ukraine was hit the hardest, with wipers such as WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.
“Seven different wiper malware attacks have been discovered targeting Ukrainian infrastructure or companies – all clearly in line with Russia's interest in the war,” Fortinet, a cybersecurity company, said back in March.
“Generally, wiper operations in this category attack targets whose destruction is in the interest of the opposing military.”
“The motivation behind such an attack might be to cripple critical infrastructure. This could be done to either cause chaos and increase mental stress on the enemy, or to cause destruction [of] a tactical target.”
Russia wasn't spared either. It was hit in March by another wiper named RuRansom, posing as run-of-the-mill ransomware, a wiper named RuRansom. The authors of the malware openly said they were targeting Russia because of its invasion of the neighboring country.
More from Cybernews:
Subscribe to our newsletter