Data-wiping malware hits Russian courts, city halls

A new malware that masquerades as ransomware but wipes data from infected devices instead of holding it for ransom has been found targeting Russian organizations, according to new research.

The malware was first detected this fall when it targeted courts and city halls in several Russian regions, local media reported last week. The victims did not elaborate on the consequences of these attacks.

Researchers from Moscow-based cybersecurity firm Kaspersky, which identified CryWiper, haven’t attributed the malware to any specific group. Wipers have been increasingly common in the region since Russia invaded Ukraine.

Ukraine has been hit with wipers such as WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero, while Russia was targeted by a wiper called RuRansom disguised as ransomware.

CryWiper is a new discovery unrelated to existing families, according to Kaspersky. It has some similar features to IsaacWiper, which hit at least one Ukrainian government organization on the day of Russia’s invasion.

Wiper under the guise

CryWiper behaves like run-of-the-mill ransomware: it modifies files and leaves a ransom note, which contains a bitcoin wallet address, an e-mail address, and the infection ID. 

The wiper’s victims in Russia were asked to pay $8,000, but a ransom wouldn't save them — the malware would still wipe all files from the affected devices.

Usually, some strains of wiper malware are created by mistake, but not CryWiper. “Our experts are confident that the main goal of the attackers is not financial gain, but destroying data,” Kaspersky wrote in a statement on Friday.

Kaspersky has so far only detected CryWiper’s attacks against Russian targets, but said that “no one can guarantee that the same code won’t be used against other targets.”

The malware’s main targets are databases, archives, and user documents, which it destroys beyond recovery. CryWiper also deletes shadow copies of the files so that they cannot be restored.

Almost all wipers behave in the same way. One of the most famous wiper attacks was NotPetya in 2017, which reportedly caused more than $10 billion in global damages. 

Wiper attacks have been conducted by government-sponsored threat actors to serve political interests, not to generate profit, according to Secureworks.