Kaspersky warns of malware that behaves like ransomware but destroys data directly instead of encrypting it. Virus analysts discovered malware on systems in Russia.
Is this ransomware?
Virus analysts describe that when a computer is infected, the malware modifies files, adds a .CRY file extension to them and stores a README.txt file with a ransom message on the computer. The message includes a bitcoin wallet address, contact email and transition ID. However, malware is a viper, that is, an insect that destroys data. The authors explain that allegedly encrypted files can never be restored to their original state. So if you find a ransom note and files with .CRY extension, paying the ransom is pointless.
During the analysis, virus experts came to the conclusion that it was not a case of data malfeasance and accidental destruction due to poorly programmed encryption algorithms, as has been observed occasionally in the past. Rather, analysts anticipate deliberate data destruction. The data is not encrypted, but the Trojan overwrites it with pseudo-random data.
In doing so, CryWiper damages all data that is not essential to the functioning of the operating system. The malware drops files with the extension .exe, .dll, .lnk, .sys or .msi as well as many subfolders of C:\Windows. It focuses on databases, archives and user documents.
So far only destination in Russia
So far, Kaspersky has only detected attacks on targets in the Russian Federation. However, as always, no one can guarantee that the same malicious code will not be used against other targets.
Besides overwriting file contents with garbage, CryViper has other features. The malware creates a task that restarts it every five minutes. It also sends the name of the infected computer to the command and control server and waits for the command to launch the attack. CryWiper terminates processes related to MySQL, MS SQL and Exchange as well as MS Active Directory web services that would otherwise have their files blocked and thus protected from manipulation.
The malware also deletes shadow copies, but only on drive C: – there may be a small ray of hope for affected administrators that there are still backup copies of databases stored on drive D:, which in practice is often used by Exchange and SQL Server. It also stops RDP services. Kaspersky suspects that should make the job of any incident response team more difficult.
in which Blog entry by Kaspersky The authors also provide information about protective measures. IT managers should keep a close eye on long distance connections in their own infrastructure. Access from public networks should be prevented, RDP access should be protected with a VPN tunnel, for example, and strong passwords should be used in conjunction with two-factor authentication. Critical software should receive timely updates, with a special focus on operating systems, security software, VPN clients, and remote access tools. Lastly, employee training is also on the list to increase awareness about IT security.
Ransomware has been slowly changing for some time. In doing so, cyber criminals are moving away from pure (error-prone) local encryption with extortion, to destroying local data after copying, to smuggling and selling sensitive data captured during break-ins. have been
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.