According to Kaspersky and Russian news source Izvestia, mayors' offices and courts there are being attacked by never-before-seen malware masquerading as ransomware but wiping out data.
It has been named CryWiper by Kaspersky researchers, which is a nod to the file extensions that are appended to deleted files after they are destroyed. Kaspersky says that its team has witnessed the malware deliver "pinpoint attacks" on Russian targets via a spyware program. On the other hand, the Izvestia newspaper reported that the targets of the attack were the office of the mayor and the court of the city.
There was no immediate word on how many organizations were affected, how the malware managed to erase data, or whether data was successfully erased at this time.
During the past decade, wiper malware has grown in popularity and become increasingly common. A virus called Shamoon was discovered in 2012 and caused havoc for companies named Saudi Aramco and RasGas of Qatar. In Saudi Arabia, Shamoon was again reworked four years later, and a version of the malware that was used to attack multiple organizations was introduced. There have been an approx. $10 billion of damage by the self-replicating malware dubbed NotPetya that spread across the globe within hours and has affected hundreds of thousands of computers worldwide.
The past year has seen a slew of updated wiper blades emerge. Some examples include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and ransom.
It has been reported by Kaspersky that the company has discovered recent attacks carried out by CryWiper. A note was left after the malware had infected a target. The message reportedly demanded 0.5 bitcoin and included the wallet address for payment.
The results from Kaspersky's analysis of a sample of malware indicate that although this Trojan disguises itself as ransomware and extorts money from the victims for 'decrypting' their data, it does not encrypt data, but destroys it on purpose on the affected computer, according to the report from Kaspersky. A study of the Trojan's code showed that this was not a mistake made by the developer, but something that he had planned to do originally.
There are some similarities between CryWiper and IsaacWiper, which targeted organizations in Ukraine as part of its campaign. These two types of wipers are composed of pseudo-random numbers that are then used to corrupt targeted files by overwriting the contents of these files. There is a set of algorithms known as the Mersenne Vortex PRNG, these algorithms are rarely used, so the commonalities within these algorithms are striking.
A unique characteristic that CryWiper shares with other ransomware families is its close connection with Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. In particular, all three ransom notes contain the same email address.
While analyzing the sample of CryWiper, Kaspersky discovered that it was a 64-bit Windows executable file. A C++ version of the software was written and compiled with the MinGW-w64 toolkit and the GCC compiler using the MinGW-w64 data set.
Using Microsoft Visual Studio for malware that is written in C++ is quite unusual. This is because it is more common for malware written in C++ to use Microsoft Visual Studio for that purpose.
This could have resulted from a choice to allow developers to port their code from Windows to Linux without going through a third-party compiler.
Due to the large number of API calls that CryWiper makes to the Windows programming interface, it seems unlikely that this is the cause of the problem. In most cases, the developer who wrote the code was probably using a non-Windows device while writing the code.
An attack that succeeds in wiping out a network often exploits the poor security of the network. Network engineers are advised by Kaspersky to take precautions by using the following tools:
- A behavioral analysis-based endpoint protection solution is based on the analysis of files.
- When an intrusion is detected, security operations centers are responsible for managing detection, response, and taking action to resolve the problem.
- Detects malicious files and URLs in your email attachments and blocks them to ensure that your mail is safe. Using such a system will make it much more difficult for attack vectors such as email attacks, which are the most common.
- Ensure that regular penetration testing and RedTeam projects are conducted. Identifying vulnerabilities in infrastructure and protecting them will help to reduce the attack surface for intruders, which in turn reduces the attack surface of the organization.
- Analyzing and monitoring threat data. There is a need to maintain up-to-date knowledge about the tactics intruders employ, the tools they use, and the infrastructure they use to detect and stop malicious activity promptly.
There is no doubt that wiper malware is likely to continue to spread over the coming months. This is given Russia's invasion of Ukraine and other geopolitical conflicts around the world.
According to the report by Kaspersky on Friday, "in many cases, wiper attacks and ransomware incidents are caused by weak network security, and it is critical to make sure that these security measures are strengthened." The firm also stated that it could be assumed that the number of cyberattacks, as well as those using wipers, will grow, in large part because of the unstable situation around the world.