A new data wiper malware called CryWiper has been found targeting Russian government agencies, including mayor’s offices and courts.
“Although it disguises itself as a ransomware and extorts money from the victim for ‘decrypting’ data, [it] does not actually encrypt, but purposefully destroys data in the affected system,” Kaspersky researchers Fedor Sinitsyn and Janis Zinchenko said in a write-up.
Additional details of the attacks were shared by the Russian-language news publication Izvestia. The intrusions have not been attributed to a specific adversarial group so far.
A C++-based malware, CryWiper is configured to establish persistence via a scheduled task and communicate with a command-and-control (C2) server to initiate the malicious activity.
Besides terminating processes related to database and email servers, the malware is equipped with capabilities to delete shadow copies of files and modify the Windows Registry to prevent RDP connections in a likely attempt to obstruct incident response efforts.
images from Hacker News