Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

New CryWiper Data Wiper Targets Russian Courts, Mayor's Offices (bleepingcomputer.com) 29

An anonymous reader quotes a report from BleepingComputer: A previously undocumented data wiper named CryWiper is masquerading as ransomware, but in reality, destroys data beyond recovery in attacks against Russian mayor's offices and courts. CryWiper was first discovered by Kaspersky this fall, where they say the malware was used in an attack against a Russian organization. [...] CryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI function calls. Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.

Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant. Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection. CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.

Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files. CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists. Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable. After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.

This discussion has been archived. No new comments can be posted.

New CryWiper Data Wiper Targets Russian Courts, Mayor's Offices

Comments Filter:
  • If Russia is going to piss off US while using closed source US software which obviously have backdoors built in, than its on Russia. Either use open source or develop your own closed source software or dont challenge the US world order.
    • I doubt the US government would bother attacking low level administrative and legal operations. This looks more like the work of internal resistance trying to break the Russian surveillance state. The rest of it is true, if you use cloned software you are likely to have unpatched bugs that are easy to exploit.
      • Creating chaos in your enemy's country is very sound strategy. CIA specializes in this.

        Military depends on civilian infrastructure to operate.

        e.g. bork the traffic lights on the highways and railroads resulting in crashes and that cuts the supply lines.

        OP is spot-on about Russian government using Windows. Terrible strategic mistake.

        • by test321 ( 8891681 ) on Saturday December 03, 2022 @09:38AM (#63099016)

          Creating chaos in your enemy's country is very sound strategy. CIA specializes in this.

          But the justice system of Russia is already in chaos. You only win if you re paying the judge *more* than the opponent, also you cannot win against anyone close to the circle of power, be it local or federal. A computer system is not of much use to them for this kind of justice system.

          If it s CIA, they are wasting their shots at an irrelevant target (that removes surprise and gives Russia time to ) just like Russia is wasting precision missiles hitting energy generators.

      • by HiThere ( 15173 )

        Maybe. But those same backdoors are likely known to the Russian govt. approved hacker groups that used to share membership between Russia and the Ukraine.

        Actually, one doesn't even need to suppose that the backdoors were at the behest of some government or other, just that they were known to some such group. We do know that govt. agencies occasionally insist that such backdoors be created, but it's not like they're the only "bugs".

        P.S.: Open source is not immune. It does, however, tend to fix the bugs a

        • Open source makes it a lot harder to hide backdoors successfully. It's far from impossible, mind you, but way harder to pull off if your target can audit the source of the program you want them to use.

      • Various US agencies hire cyber-mercenaries, mostly incompetent, or declines to turn them over to local prosecution in return for data from compromised systems. So do Russian agencies, and Chinese, perhaps even every other intelligence agency in the world.

        "Cloned software" is its own issue. Most software is cloned from somewhere, compiling it dynamically still leaves it vulnerable to source code replacement. "Downloaded from the Internet" has proven a problem for NodeJS in the last few years, and the warez d

        • Various US agencies hire cyber-mercenaries, mostly incompetent, or declines to turn them over to local prosecution in return for data from compromised systems.

          This reeks of grade A bullshit, particularly the variety that Europeans like to peddle to each other for consumption.

          • We see traces of their failures in the press occasionally:

            https://www.newyorker.com/maga... [newyorker.com]

            We've also seen cases like Kevin Mitnick, an old school cracker granted immunity by the FBI who continued his criminal abuses during his employment as a snitch on other hackers.

            https://en.wikipedia.org/wiki/... [wikipedia.org]

            Or read the "Cuckoo's Egg" by Clifford Stoll. There is little sign that US intelligence agencies have actually become more intellige

            • We see traces of their failures in the press occasionally:

              You mean like stuxnet? I wouldn't call that a failure...especially considering that A) it succeeded at what it was designed to do and B) nobody has completely reverse engineered it.

              But it is interesting you mention that in particular. Notice that despite what he leaked, you never heard of any of that stuff, with the sole exception of some portions of stuxnet itself, outside of that leak? Which also doesn't appear to be an act of incompetence, but rather malice, according to your own leak.

              We've also seen cases like Kevin Mitnick, an old school cracker granted immunity by the FBI who continued his criminal abuses during his employment as a snitch on other hackers.

              No, the FBI didn't

    • Alternatively, it could be Ukrainian hackers. Attribution is difficult with these kind of attacks.

      • by ghoul ( 157158 )
        I wouldnt call people who are provided ready made backdoors to exploit "hackers", more like script kiddies
        • When all your files disappear, we say you've been "hacked". We do not say you've been "kidded" or "scripted". If you got hacked you got hacked by "hacker", regardless of how much you respect their contribution.

          • These days it's typically a coordinated effort. You've got the developers who write the exploits, you've got the social engineers that deliver them, and you've got the engineers that develop the code that hosts the command and control system.

            It's not really accurate to refer to any of them as script kiddies. Script kiddies are generally just working on their own against a target of opportunity.

    • by Anonymous Coward
      Not necessarily. Could be just the old you reap what you sow principle.

      Cyber criminals safely harbored by the protection of the Kremlin have been shitting on the entire world for a while now as long as they keep their actions restricted to non Russian targets. Even though that's not even required because the most rich corporations and fat cats that can be ransomed are outside of Russia anyway. The only profit that you could probably make in Russia is if you went after their fat cats. And since all of thos
    • Ooooooooo... it's all back door conspiracies. Whatever dude. Your tinfoil hat is wearing out, better replace it.

      • by ghoul ( 157158 )
        I cant replace my tin hat. Most of it comes from Russia and with the sanctions we are running out.
  • by JoshuaZ ( 1134087 ) on Saturday December 03, 2022 @08:49AM (#63098958) Homepage
    Even before the invasion of Ukraine, Russia was one of the primary sources of ransomware, much of which also lied about being able to actually restore data. Some the Russian government just refused to crack down on, while other was made with clear government complicity. Even if Russia had not invaded Ukraine, this would seem like a not so bad taste of their own medicine. Given Russia's unprovoked invasion of Ukraine and large scale crimes against humanity there, I'm rooting for the malware here. Wreck all the Russian computers.
    • Even before the invasion of Ukraine, Russia was one of the primary sources of ransomware, much of which also lied about being able to actually restore data. Some the Russian government just refused to crack down on, while other was made with clear government complicity. Even if Russia had not invaded Ukraine, this would seem like a not so bad taste of their own medicine. Given Russia's unprovoked invasion of Ukraine and large scale crimes against humanity there, I'm rooting for the malware here. Wreck all the Russian computers.

      While I get your point and agree that karma is a bitch, "Wreck all the Russian computers" is not a good tactic. Causing absolute chaos and havoc results in unpredictable outcomes, a loss of command and control, leading to escalations that probably would not occur if someone is still able to retain control and decide to capitulate. You want to cause enough damage to convince them to surrender, not do a scorched earth where tehy feel they have nothing to lose; and leave a leader in control that can decide t

    • by Miles_O'Toole ( 5152533 ) on Saturday December 03, 2022 @09:07AM (#63098974)

      I couldn't help but wonder if some family members of Russia's flourishing, state-supported malware community came home in body bags, which would probably engender some animus against the government that sent them off to be slaughtered in an ill-considered military adventure. Or perhaps a malware community member was one of those young Russian men recently called up to serve as cannon fodder in Putin's catastrophic invasion of Ukraine. It would be a lot harder to track down conscripts with government records deleted or in disarray.

  • by cstacy ( 534252 ) on Saturday December 03, 2022 @12:04PM (#63099248)

    Good

  • ... as victim of attack here, but it can also look like nazis burning camp documents before a retreat.
  • Probably some fool-proof system such as checking for a Russian keyboard layout being installed, or a Russian speel-chocker dictionary in Word. So that every person completely un-associated with the Russian government (e.g, my self, or my wife) would become targets.

    More likely, some more error-prone and fragile test would be used. Because nobody important would be harmed.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...