New malware destroys all Russian town hall data

New episode in the war between Russia and Ukraine. Undocumented data erasure software – called wiper – has just appeared, according to a Kaspersky report published on December 1, 2022. Named CryWiper, this malware takes the form of ransomware. However, it does not just block the files but ends up deleting them.

The software was first spotted this fall, in an attack on a Russian organization. A Russian media reports that several town halls and regional courts in Russia have been attacked by CryWiper. In the note left for the victims, the attackers give an email address and a bitcoin wallet, demanding 0.5 bitcoin (around $8,100) to unlock the data. Nothing will be restored after payment.

” CryWiper disguises itself as ransomware and stores ransom demands in a file README.txt. The embedded text uses the language elements of a classic ransomware group. There is nothing to decipher after infection anyway Kaspersky notes.

Rescue interventions hampered

In terms of code and functionality, CryWiper is new malware that is not related to any listed family. It goes so far as to delete all the copies on the compromised machine to block any attempt at restoration. The cyber firm reports seeing 4-day turnaround times in some cases, likely added in the code to help confuse the victim as to the cause of the infection. The program also modifies the Windows registry to prevent remote logins, which is likely to hamper emergency response and incident response by cyber specialists. Suffice to say that the execution of such malware is often fatal for the computer system.

The researchers just noted similarities in the algorithm with that of another wiper, Isaacwiper. This software was used by the Russians to attack the Ukrainian government last March. At this point, it is impossible to determine who the attacker behind Crywiper is. The malware was only detected in Russian institutions.

For further