New CryWiper Data Wiper Targets Russian Courts, Mayor's Offices (bleepingcomputer.com) 29
An anonymous reader quotes a report from BleepingComputer: A previously undocumented data wiper named CryWiper is masquerading as ransomware, but in reality, destroys data beyond recovery in attacks against Russian mayor's offices and courts. CryWiper was first discovered by Kaspersky this fall, where they say the malware was used in an attack against a Russian organization. [...] CryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI function calls. Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.
Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant. Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection. CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.
Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files. CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists. Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable. After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.
Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant. Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection. CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.
Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files. CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists. Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable. After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.
Closed source==Govt backdoors (Score:2)
Re: (Score:2)
Re: (Score:2)
Creating chaos in your enemy's country is very sound strategy. CIA specializes in this.
Military depends on civilian infrastructure to operate.
e.g. bork the traffic lights on the highways and railroads resulting in crashes and that cuts the supply lines.
OP is spot-on about Russian government using Windows. Terrible strategic mistake.
Re:Closed source==Govt backdoors (Score:5, Interesting)
Creating chaos in your enemy's country is very sound strategy. CIA specializes in this.
But the justice system of Russia is already in chaos. You only win if you re paying the judge *more* than the opponent, also you cannot win against anyone close to the circle of power, be it local or federal. A computer system is not of much use to them for this kind of justice system.
If it s CIA, they are wasting their shots at an irrelevant target (that removes surprise and gives Russia time to ) just like Russia is wasting precision missiles hitting energy generators.
Re: (Score:2)
If Russia is surprised by an attack then they're even dumber than I thought
Re: (Score:3)
Maybe. But those same backdoors are likely known to the Russian govt. approved hacker groups that used to share membership between Russia and the Ukraine.
Actually, one doesn't even need to suppose that the backdoors were at the behest of some government or other, just that they were known to some such group. We do know that govt. agencies occasionally insist that such backdoors be created, but it's not like they're the only "bugs".
P.S.: Open source is not immune. It does, however, tend to fix the bugs a
Re: (Score:2)
Open source makes it a lot harder to hide backdoors successfully. It's far from impossible, mind you, but way harder to pull off if your target can audit the source of the program you want them to use.
Re: (Score:2)
Various US agencies hire cyber-mercenaries, mostly incompetent, or declines to turn them over to local prosecution in return for data from compromised systems. So do Russian agencies, and Chinese, perhaps even every other intelligence agency in the world.
"Cloned software" is its own issue. Most software is cloned from somewhere, compiling it dynamically still leaves it vulnerable to source code replacement. "Downloaded from the Internet" has proven a problem for NodeJS in the last few years, and the warez d
Re: Closed source==Govt backdoors (Score:2)
Various US agencies hire cyber-mercenaries, mostly incompetent, or declines to turn them over to local prosecution in return for data from compromised systems.
This reeks of grade A bullshit, particularly the variety that Europeans like to peddle to each other for consumption.
Re: (Score:2)
We see traces of their failures in the press occasionally:
https://www.newyorker.com/maga... [newyorker.com]
We've also seen cases like Kevin Mitnick, an old school cracker granted immunity by the FBI who continued his criminal abuses during his employment as a snitch on other hackers.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Or read the "Cuckoo's Egg" by Clifford Stoll. There is little sign that US intelligence agencies have actually become more intellige
Re: (Score:2)
We see traces of their failures in the press occasionally:
You mean like stuxnet? I wouldn't call that a failure...especially considering that A) it succeeded at what it was designed to do and B) nobody has completely reverse engineered it.
But it is interesting you mention that in particular. Notice that despite what he leaked, you never heard of any of that stuff, with the sole exception of some portions of stuxnet itself, outside of that leak? Which also doesn't appear to be an act of incompetence, but rather malice, according to your own leak.
We've also seen cases like Kevin Mitnick, an old school cracker granted immunity by the FBI who continued his criminal abuses during his employment as a snitch on other hackers.
No, the FBI didn't
Re: (Score:2)
Alternatively, it could be Ukrainian hackers. Attribution is difficult with these kind of attacks.
Re: (Score:2)
Re: Closed source==Govt backdoors (Score:3)
When all your files disappear, we say you've been "hacked". We do not say you've been "kidded" or "scripted". If you got hacked you got hacked by "hacker", regardless of how much you respect their contribution.
Re: Closed source==Govt backdoors (Score:2)
These days it's typically a coordinated effort. You've got the developers who write the exploits, you've got the social engineers that deliver them, and you've got the engineers that develop the code that hosts the command and control system.
It's not really accurate to refer to any of them as script kiddies. Script kiddies are generally just working on their own against a target of opportunity.
Re: (Score:1)
Cyber criminals safely harbored by the protection of the Kremlin have been shitting on the entire world for a while now as long as they keep their actions restricted to non Russian targets. Even though that's not even required because the most rich corporations and fat cats that can be ransomed are outside of Russia anyway. The only profit that you could probably make in Russia is if you went after their fat cats. And since all of thos
Re: (Score:1)
Ooooooooo... it's all back door conspiracies. Whatever dude. Your tinfoil hat is wearing out, better replace it.
Re: (Score:2)
Re: (Score:1)
Depends on the kind of bug they exploited. If they were multiple-free bugs, then yes, Rust should prevent it (if properly used). If they were fence-post errors, lots of languages would prevent them. Unless you picked "unsafe optimization". Even Ada could catch those. Etc.
So there are lots of kinds of accidental bugs that I would expect Rust to severely reduce. But it isn't the only language to do so. Concurrency bugs is where Rust really innovated, though, so if you aren't writing concurrent code, I
Re: cxx? well there's your problem (Score:2)
Is Rust really innovative in concurrency? Aren't they just doing what JavaScript does with the event loop, but applying it to pointers instead of an I/O resource? Doesn't it just sort of pause one thread while the other thread finishes?
Now, certainly Rust is more robust in that you can manage the threads directly. And I don't code in Rust so I'm just basing this on reading the language docs and fiddling a bit. But Rust did not strike me as innovative here.
By "unfortunately" do you mean "fortunately?" (Score:3)
Re: (Score:2)
Even before the invasion of Ukraine, Russia was one of the primary sources of ransomware, much of which also lied about being able to actually restore data. Some the Russian government just refused to crack down on, while other was made with clear government complicity. Even if Russia had not invaded Ukraine, this would seem like a not so bad taste of their own medicine. Given Russia's unprovoked invasion of Ukraine and large scale crimes against humanity there, I'm rooting for the malware here. Wreck all the Russian computers.
While I get your point and agree that karma is a bitch, "Wreck all the Russian computers" is not a good tactic. Causing absolute chaos and havoc results in unpredictable outcomes, a loss of command and control, leading to escalations that probably would not occur if someone is still able to retain control and decide to capitulate. You want to cause enough damage to convince them to surrender, not do a scorched earth where tehy feel they have nothing to lose; and leave a leader in control that can decide t
Re:By "unfortunately" do you mean "fortunately?" (Score:5, Interesting)
I couldn't help but wonder if some family members of Russia's flourishing, state-supported malware community came home in body bags, which would probably engender some animus against the government that sent them off to be slaughtered in an ill-considered military adventure. Or perhaps a malware community member was one of those young Russian men recently called up to serve as cannon fodder in Putin's catastrophic invasion of Ukraine. It would be a lot harder to track down conscripts with government records deleted or in disarray.
Good (Score:3)
Good
Russia painted... (Score:2)
How are they going to identify targets? (Score:2)
More likely, some more error-prone and fragile test would be used. Because nobody important would be harmed.