New CryWiper Wiper Targets Russian Organizations
According to Kaspersky Lab, Russian organizations are currently under attack from a new malware called CryWiper. This malicious software pretends to be ransomware and demands a ransom, but in reality, it does not encrypt files—it destroys them permanently.
How CryWiper Works
Researchers report that after infecting a device, CryWiper corrupts the victim’s files and displays a ransom note. The note includes an email address and a Bitcoin wallet, demanding more than 500,000 rubles (about 0.5 BTC) for data recovery. However, the files are irreversibly damaged, and analysis of the malware’s code shows that this is intentional, not a programming error.
Experts have noted that the email address left by the attackers has appeared in previous attacks, including those involving the Xorist ransomware. This could mean that the malware distributor previously used ransomware and has now switched to wipers, or that the attackers are using someone else’s contact information to mislead researchers. To further complicate incident response, CryWiper also blocks RDP (Remote Desktop Protocol) access to the infected device.
Targets and Attack Methods
The wiper destroys the contents of files of all formats except those essential for the operating system. Databases, archives, and documents are especially at risk. The malware does not autonomously decide which files to destroy; instead, it sends a request to a command-and-control server and only begins its destructive activity after receiving permission. Corrupted files are given the additional extension .CRY.
According to Izvestia, CryWiper attacks have affected city administrations and courts in various Russian regions. Igor Bederov, head of the information and analytical research department at T.Hunter, believes these attacks on Russian government agencies may be linked to the current geopolitical situation.
Expert Commentary and Recommendations
“The CryWiper attack once again demonstrates that paying a ransom does not guarantee file recovery. So far, we have seen isolated incidents, but the malware could start targeting organizations more aggressively. To counter such threats, companies need to implement comprehensive corporate network perimeter protection and train employees in basic cybersecurity hygiene, as attacks often begin with phishing or other social engineering techniques,” commented Fedor Sinitsyn, a cybersecurity expert at Kaspersky Lab.