CryWiper Malware

What Is CryWiper Malware?

CryWiper is a wiper malware that imitates ransomware by leaving a ransom note, but files altered by CryWiper cannot be restored—even if targets choose to pay. Rather than encrypting target system files, CryWiper overwrites them with random data, rendering the original data unrecoverable. 

CryWiper was first discovered in late 2022 targeting Russian government entities, including mayoral offices and regional courts. Although no attribution has been made for the CryWiper attacks, they are likely related to the proxy cyberwar of the Russia-Ukraine conflict.

CryWiper permanently destroys documents, archives, and database files such as MySQL and Microsoft SQL Server, leaving the Windows operating system files and regular executables unimpacted. The CryWiper does not share source code with other wiper malware families such as DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, or Industroyer2. However, it does use the same email address in its faux ransom note as that of the ransomwares Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent.

How CryWiper Works

The CryWiper payload is a 64-bit Windows executable written in C++, often named browserupdate.exe. Once CryWiper has infected a system, it collects and sends system information to an attacker-controlled command and control (C2) server that determines whether to proceed to the malware's data destruction stage. If instructed to proceed, CryWiper uses the output of a pseudo-random number generator to replace the actual contents of files and drops a typical ransom note named README.txt, demanding 0.5 Bitcoin in each directory containing destroyed files.

Techniques used by CryWiper malware include:

  • Uses WinAPI function calls to perform most of its malicious activity
  • CryWiper's first-stage payload sleeps for four days to obfuscate the cause of the infection 
  • Creates a scheduled task that runs every five minutes, contacts a command and control (C2) server, sends information about the host, and receives a decision to proceed with file destruction or not
  • Shuts down processes that block access to sensitive files such as MySQL, MS SQL Server, Microsoft Exchange, Microsoft Active Directory
  • Deletes shadow copies of impacted files to prevent file recovery
  • Modifies the Windows Registry HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections setting to block RDP access to the infected system
  • Does not encrypt files in the C:\Windows directory, boot directories, and a select list of file extensions (.exe, .dll, .lnk, .sys or .msi) to maintain core Windows OS functionality 
  • Uses a known pseudo-random number generator named "Mersenne Vortex" for overwriting the contents of the target's files

Signs of a CryWiper Attack

Based on the limited information available about CryWiper, it is most often delivered in a portable executable (PE) format with the filename browserupdate.exe. As CryWiper overwrites files, it adds a .CRY or .cry extension to each file it alters and places a file named README.txt in each directory demanding 0.5 Bitcoins for a decryptor. The ransom note contains convincing information such as a contact email address, an infection ID number, and a wallet address. However, analysis of the malware's payload confirms that files impacted by CryWiper are not encrypted, but overwritten with ransom data, making them unrecoverable.

How to Prevent a CryWiper Attack

Preparing for a CryWiper attack is critical since files cannot be recovered—even if you are willing to pay the requested ransom. This means installing and implementing reliable endpoint security solutions such as anti-virus software or an advanced Endpoint Detection and Response (EDR) product and regularly updating them. The unforgiving nature of CryWiper's impact also means that a reliable data backup strategy is essential for restoring access to any impacted files.

Blackberry® Cylance®, which offers a predictive advantage over zero-day threats, is effective against malware like CryWiper. Blackberry Cylance trains artificial intelligence (AI) agents for threat detection using millions of both safe and unsafe files.

Blackberry Cylance prevents malware variants from executing based on the detection of several malicious file attributes, not a specific file signature. This approach allows our customers to implement a prevention-first security posture effective against unknown, emerging, and polymorphic threats as well as traditional threats.