"'CryWiper' Trojan Disguises as Ransomware"

Researchers have discovered a new wiper Trojan disguised as a ransomware payload in the wild. CryWiper, named after the distinctive '.cry' extension it appends to files, appears to be a new ransomware strain at first glance. The victims' devices appear to be encrypted, and a ransom note is left demanding money be sent to a bitcoin wallet address, but the files are corrupted beyond repair. Evidence shows that the malware is a wiper that corrupts all but the most critical system files, overwriting each with data generated by a pseudo-random number generator. When CryWiper is installed on a victim's system, it sends the name of the victim's device to a command-and-control (C2) server and waits for an activation command to launch an attack. This uses a similar methodology to ransomware, with functions such as deleting volume shadow copies to prevent file restoration and scheduling itself in Windows Task Scheduler to restart every five minutes. CryWiper also disables MS SQL, MySQL, MS Active Directory, and MS Exchange services, allowing files associated with them to be corrupted. A wiper is made to randomly destroy systems or otherwise cause havoc on a victim's device. Wipers are a component of a malware arsenal that has served as the foundation of the growing threat against critical national infrastructure, and they have been widely used by Russia in its cyberwar against Ukraine. The ransom text file contains an email address that has been in use since 2017, making it associated with a number of previous ransomware families. No group has yet been definitively linked by an identification. This article continues to discuss the CryWiper Trojan that has been disguised as ransomware.

ITPro reports "'CryWiper' Trojan Disguises as Ransomware"


 

Submitted by Anonymous on