{"id":20706,"date":"2022-12-02T03:30:03","date_gmt":"2022-12-02T11:30:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/12\/02\/news-14439\/"},"modified":"2022-12-02T03:30:03","modified_gmt":"2022-12-02T11:30:03","slug":"news-14439","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/12\/02\/news-14439\/","title":{"rendered":"CryWiper disguised as ransomware | Kaspersky official blog"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/12\/02055240\/crywiper-pseudo-ransomware-featured.jpg\"\/><\/p>\n<p><strong>Credit to Author: Editorial Team| Date: Fri, 02 Dec 2022 10:57:23 +0000<\/strong><\/p>\n<p>Our experts have discovered an attack of a new Trojan, which they dubbed CryWiper. On the first glance, this malware acts as a ransomware: it modifies files, adds a .CRY extension to them, and saves a README.txt file with a ransom note, which contains the bitcoin wallet address, the contact e-mail address of the malware creators, and the infection ID. However, in fact, this malware is a <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/wiper\/\" target=\"_blank\" rel=\"noopener\">wiper<\/a> \u2014 a file modified by CryWiper cannot be restored to its original state ever. So if you see a ransom note, and your files have a new .CRY extension, do not hurry to pay a ransom: it is pointless.<\/p>\n<p>In the past, we have seen some malware strains that became wipers by accident \u2014 due to mistakes of their creators who poorly implemented encryption algorithms. However, this time it is not the case: our experts are confident that the main goal of the attackers is not financial gain, but destroying data. The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data.<\/p>\n<h2>What CryWiper is hunting for<\/h2>\n<p>The Trojan corrupts any data that is not vital for the functioning of the operating system. It doesn&#8217;t affect files with extensions .exe, .dll, .lnk, .sys, .msi, and ignores several system folders in the C:Windows directory. The malware focuses on databases, archives, and user documents.<\/p>\n<p>So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code cannot be used against other targets.<\/p>\n<h2>How the CryWiper Trojan works<\/h2>\n<p>In addition to directly overwriting the contents of files with garbage, CryWiper also does the following:<\/p>\n<ul>\n<li>creates a task that restarts the wiper every 5 minutes using the Task Scheduler;<\/li>\n<li>sends the name of the infected computer to the C&amp;C server and waits for a command to start an attack;<\/li>\n<li>halts processes related to MySQL and MS SQL database servers, MS Exchange mail server and MS Active Directory web services (otherwise access to some files would be blocked and it would be impossible to corrupt them);<\/li>\n<li>deletes shadow copies of files so that they cannot be restored (but for some reason only on the C: drive);<\/li>\n<li>disables connection to the affected system via RDP remote access protocol.<\/li>\n<\/ul>\n<p>The purpose of the latter is not entirely clear. Perhaps this way malware authors tried to complicate the work of incident response team, that will clearly prefer to have a remote access to the affected machine \u2014 but instead they will have to get physical access to it. You can find technical details of the attack along with indicators of compromise in a <a href=\"https:\/\/securelist.ru\/novyj-troyanec-crywiper\/106114\/\" target=\"_blank\" rel=\"nofollow noopener\">post on Securelist<\/a> (in Russian only).<\/p>\n<h2>How to stay safe<\/h2>\n<p>To protect your company&#8217;s computers from both ransomware and wipers, our experts recommend the following measures:<\/p>\n<ul>\n<li>carefully control remote access connections to your infrastructure: prohibit connections from public networks, allow RDP access only through VPN tunnel, use unique strong passwords and two-factor authentication;<\/li>\n<li>update critical software in a timely manner, paying special attention to the operating system, security solutions, VPN clients, and remote access tools;<\/li>\n<li>raise security awareness of your employees, for example, using <a href=\"https:\/\/k-asap.com\/en\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\">specialized online tools<\/a>;<\/li>\n<li>employ <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/anti-targeted-attack-platform?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kata___\" target=\"_blank\">advanced security solutions<\/a> to protect both work devices and the perimeter of the corporate network.<\/li>\n<\/ul>\n<p> <input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-top3\" \/> <br \/><a href=\"https:\/\/www.kaspersky.com\/blog\/crywiper-pseudo-ransomware\/46480\/\" target=\"bwo\" >https:\/\/blog.kaspersky.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/12\/02055240\/crywiper-pseudo-ransomware-featured.jpg\"\/><\/p>\n<p><strong>Credit to Author: Editorial Team| Date: Fri, 02 Dec 2022 10:57:23 +0000<\/strong><\/p>\n<p>Kaspersky experts have discovered new CryWiper Trojan, that poses as ransomware, but in fact works as a wiper.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10425,10378],"tags":[1001,12177,3765,12321,16068],"class_list":["post-20706","post","type-post","status-publish","format-standard","hentry","category-kaspersky","category-security","tag-business","tag-enterprise","tag-ransomware","tag-smb","tag-wiper"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20706"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20706\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}