What Is CryWiper Malware?
CryWiper is a wiper malware that imitates ransomware by leaving a ransom note, but files altered by CryWiper cannot be restored—even if targets choose to pay. Rather than encrypting target system files, CryWiper overwrites them with random data, rendering the original data unrecoverable.
CryWiper was first discovered in late 2022 targeting Russian government entities, including mayoral offices and regional courts. Although no attribution has been made for the CryWiper attacks, they are likely related to the proxy cyberwar of the Russia-Ukraine conflict.
CryWiper permanently destroys documents, archives, and database files such as MySQL and Microsoft SQL Server, leaving the Windows operating system files and regular executables unimpacted. The CryWiper does not share source code with other wiper malware families such as DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, or Industroyer2. However, it does use the same email address in its faux ransom note as that of the ransomwares Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent.
Latest CryWiper News
- Details Emerge about CryWiper, a New Malware Wiper (BlackBerry Threat Intelligence Report)
- Russian Courts Targeted by New CryWiper Data Wiper Malware Posing as Ransomware (Hacker News)
- Effective, Fast, and Unrecoverable: Wiper Malware Is Popping Up Everywhere (Ars Technia)
How CryWiper Works
The CryWiper payload is a 64-bit Windows executable written in C++, often named browserupdate.exe. Once CryWiper has infected a system, it collects and sends system information to an attacker-controlled command and control (C2) server that determines whether to proceed to the malware's data destruction stage. If instructed to proceed, CryWiper uses the output of a pseudo-random number generator to replace the actual contents of files and drops a typical ransom note named README.txt, demanding 0.5 Bitcoin in each directory containing destroyed files.
Techniques used by CryWiper malware include:
- Uses WinAPI function calls to perform most of its malicious activity
- CryWiper's first-stage payload sleeps for four days to obfuscate the cause of the infection
- Creates a scheduled task that runs every five minutes, contacts a command and control (C2) server, sends information about the host, and receives a decision to proceed with file destruction or not
- Shuts down processes that block access to sensitive files such as MySQL, MS SQL Server, Microsoft Exchange, Microsoft Active Directory
- Deletes shadow copies of impacted files to prevent file recovery
- Modifies the Windows Registry HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections setting to block RDP access to the infected system
- Does not encrypt files in the C:\Windows directory, boot directories, and a select list of file extensions (.exe, .dll, .lnk, .sys or .msi) to maintain core Windows OS functionality
- Uses a known pseudo-random number generator named "Mersenne Vortex" for overwriting the contents of the target's files
Signs of a CryWiper Attack
How to Prevent a CryWiper Attack
Blackberry® Cylance®, which offers a predictive advantage over zero-day threats, is effective against malware like CryWiper. Blackberry Cylance trains artificial intelligence (AI) agents for threat detection using millions of both safe and unsafe files.
Blackberry Cylance prevents malware variants from executing based on the detection of several malicious file attributes, not a specific file signature. This approach allows our customers to implement a prevention-first security posture effective against unknown, emerging, and polymorphic threats as well as traditional threats.