On December 1, 2022, Kaspersky published a report on a new wiper disguised as ransomware. Dubbed “CryWiper,” it is particularly devastating. It was first spotted this fall and has reportedly only been used to attack Russian courts and city halls.
It allows to take control of a machine and encrypt its files. The cyber attackers then demand a ransom of 0.5 bitcoins (about 8,100 euros), but no matter what the victim does after the ultimatum expires, the files are destroyed.
“CryWiper” also deletes all copies of the infected machine to prevent restoration. It also modifies the Windows registry to prevent remote connections. The malware thus severely disrupts incident response actions, which often makes it fatal for infected IS.
In terms of code and functionality, “CryWiper” is not related to any listed malware family. Its algorithm does resemble that of another wiper, “Isaacwiper”, used by Russian groups to attack the Ukrainian government in March 2022. However, there is no evidence today to identify its origin.