- Kaspersky stated that a new Trojan, named CryWiper, mimics ransomware but instead of encrypting files, it overwrites them with pseudo-randomly generated data.
- The trojan only targets databases, archives, and user documents and doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi.
- So far, Kaspersky experts have seen only pinpoint attacks on targets in the Russian Federation.
Kaspersky shared the details of a new Trojan, dubbed CryWiper. At the first glance, it looks like ransomware. It modifies files, adds a .cry extension, and creates a README.txt file with a ransom note. The note includes a bitcoin wallet address, the contact e-mail address of the malware creators, and the infection ID. However, it is a wiper and the files can’t be restored. Instead of encrypting, the trojan overwrites the files with randomly generated data.
Databases, archives, and user documents
Kaspersky stated that the malware doesn’t target vital data for the operating system. It doesn’t affect .exe, .dll, .lnk, .sys, or .msi files. Instead, it focuses on databases, archives, and user documents. CryWiper’s all known attacks were launched on targets located in Russia. CryWiper also does the following:
- Creates a task that restarts the wiper every five minutes using the Task Scheduler
- Sends the name of the infected computer to the C&C server and waits for a command to start an attack
- Halts processes related to: MySQL and MS SQL database servers, MS Exchange mail servers and MS Active Directory web services (otherwise access to some files would be blocked and it would be impossible to corrupt them)
- Deletes shadow copies of files so that they cannot be restored (but for some reason only on the C: drive)
- Disables connection to the affected system via RDP remote access protocol
« The purpose of the latter isn’t entirely clear. Perhaps with such disabling the malware authors tried to complicate the work of the incident response team, which would clearly prefer to have remote access to the affected machine, they’d have to get physical access to it instead. You can find technical details of the attack along with indicators of compromise in a post on Securelist (in Russian only). »