Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices

CryWiper masquerades as ransomware, but its real purpose is to permanently destroy data.

Mayors’ offices and courts in Russia are under attack by never-before-seen malware that poses as ransomware but is actually a wiper that permanently destroys data on an infected system, according to security company Kaspersky and the Izvestia news service.

Kaspersky researchers have named the wiper CryWiper, a nod to the extension .cry that gets appended to destroyed files. Kaspersky says its team has seen the malware launch “pinpoint attacks” on targets in Russia. Izvestia, meanwhile, reported that the targets are Russian mayors’ offices and courts. Additional details, including how many organizations have been hit and whether the malware successfully wiped data, weren’t immediately known.

Wiper malware has grown increasingly common over the past decade. In 2012, a wiper known as Shamoon wreaked havoc on Saudi Arabia’s Saudi Aramco and Qatar’s RasGas. Four years later, a new variant of Shamoon returned and struck multiple organizations in Saudi Arabia. In 2017, self-replicating malware dubbed NotPetya spread across the globe in a matter of hours and caused an estimated $10 billion in damage. In the past year, a flurry of new wipers appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.

Kaspersky said it discovered the attack attempts by CryWiper in the last few months. After infecting a target, the malware left a note demanding, according to Izvestia, 0.5 bitcoin and including a wallet address where the payment could be made.

“After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for ‘decrypting’ data, does not actually encrypt, but purposefully destroys data in the affected system,” Kaspersky’s report stated. “Moreover, an analysis of the Trojan’s program code showed that this was not a developer’s mistake, but his original intention.”Advertisement

Source and more details: Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices | Ars Technica

Posted in Exploit.