According to local media reports, Russian courts and government agencies have been hit by a previously-undocumented strain of data-wiping malware known as CryWiper.
The malware was first discovered in August, when hundreds of PCs belonging to Russia’s Supreme Court, Ministry of Justice, as well as other courts across the country were infected with what was originally believed to be ransomware.
Like conventional ransomware, CryWiper displays a ransom message demanding payment for recovery of data that it had encrypted. In its case, CryWiper demanded a Bitcoin ransom be paid by victims.
However, deeper analysis has identified that in truth CryWiper did not encrypt files on the attacked systems but instead overwrote their files with garbage – deliberately making recovery (even if payment was made) impossible.
CryWiper’s intentional destruction of victim’s data is not going to make it successful in generating income for its creators. After all, word would soon get around that victims were not able to recover their data despite paying the ransom, preventing others from making the same costly mistake.
And so it is clear that the prime objective of the CryWiper malware is not to make money, but rather to destroy data and disrupt the operations of organisations.
If I were a betting man, I would wager that those responsible for CryWiper were specifically targeting Russian systems as part of an ongoing digital conflict between Ukraine and Russia.
CryWiper, it appears, is following in the footsteps of RuRansom, another data-wiper than posed as conventional ransomware when attacking Russian organisations soon after the invasion of Ukraine.
It’s important for all organisations, wherever they might be in the world, to take measures to reduce the chances of being hit by hackers, and also to realise that there is no such thing as a cast iron guarantee when paying a ransom that you will get your data back.