Russian courts and mayor offices being hit by a wiper malware attack

Dec. 15th, 2022 03:05 pm
thewayne: (Default)
[personal profile] thewayne
It's an interesting attack. Once infected, the malware sits there. It contacts a control server and asks permission to attack. When permission is granted, it goes into the Windows Registry and makes changes to prevent Remote Desktop from contacting the computer, so remote administrators can't get into the PC and try to stop the attack. Pretty clever move, that. Then it stops database services so that databases are available. Normally database services lock their databases so those files can't be wiped, stopping the services make them vulnerable.

THEN the wiper launches! It poses as a ransomware attack, launching a pseudo-random number generator, overwriting the files with gibberish and giving them a .cry extension, thus it is now known as the Cry Wiper. The random gibberish makes it look like the file is encrypted, but analysis of the code reveals that it's a random number generator, meaning that even if you pay the demanded 0.5 Bitcoin ransom, you're never getting anything back.

It's common in ransomware attacks to change the extension of the file so people can recognize that they've been compromised and the files are no longer what they were.

Another clever thing about this is that it automatically excludes program and system files: com, exe, dll, etc., so the computer will continue to run perfectly normally, but no data will survive. The articles that I've read don't mention if this will crawl across network shares or seek elevated access privileges, but they weren't very deep articles.

A similar program struck Ukraine earlier this year, probably launched by Russian hacker group(s).

No attribution to this attack has been found. Since no ransomware can be collected, even though a Bitcoin digital wallet is provided, that's probably a dead trail.

https://arstechnica.com/information-technology/2022/12/never-before-seen-malware-is-nuking-data-in-russias-courts-and-mayors-offices/

https://it.slashdot.org/story/22/12/03/0044234/new-crywiper-data-wiper-targets-russian-courts-mayors-offices
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2022-12-16 12:38 am (UTC)
dewline: "Worst President Ever!" in Russian (Russian politics)
From: [personal profile] dewline
There is a certain symmetry here...

Date: 2022-12-16 03:55 pm (UTC)
thewayne: (Default)
From: [personal profile] thewayne
*Hands Russian criminals gangs and gov't a petard and hoist*

Date: 2022-12-16 08:12 am (UTC)
disneydream06: (Disney Funny)
From: [personal profile] disneydream06
So, is Russia attacking Russia, or is somebody from outside Russia giving them a taste of their own medicine? lol.........
Hugs, Jon

Date: 2022-12-16 03:54 pm (UTC)
thewayne: (Default)
From: [personal profile] thewayne
I think it's unlikely that it's Russia on Russia, though there are certainly dissidents inside Russian borders. Now, a lot of young Russians have fled to Turkey and elsewhere, so it is possible that it is Russians on Russia, but not the Putin gov't doing this.

Date: 2022-12-17 02:03 am (UTC)
disneydream06: (Disney Funny)
From: [personal profile] disneydream06
Well, what goes around comes around. lol...

Date: 2022-12-18 04:59 am (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
It certainly seems like the kind of attacks that's meant to target something where losing access to the databases is the incapacitating factor. That seems restrained for many of the entities that we have been talking about with regard to cyberwarfare.

Date: 2022-12-18 06:59 am (UTC)
thewayne: (Default)
From: [personal profile] thewayne

Courts, government, and most everybody these days rely on databases in one form or another.  While they have a different meaning in the library community - which drives me nuts! - we still rely on them in our environment.

Date: 2022-12-18 08:05 am (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
Of course. That the wiper only targets the databases and nothing else is what I was thinking of as restraint - most non-state across that I know of would want to be louder and brasher in their work and taking credit for the work, and they would probably prefer to wreck the whole machine, not just the databases.

Date: 2022-12-18 03:43 pm (UTC)
thewayne: (Default)
From: [personal profile] thewayne

Oh, it doesn't only target databases - it goes out of its way to shut down database services to target databases!  It specifically excludes anything related to OS or executable files to ensure that it wipes anything resembling to a data file.  It is not showing any restraint in the least.

Well ...

Date: 2022-12-18 10:07 am (UTC)
ysabetwordsmith: Cartoon of me in Wordsmith persona (Default)
From: [personal profile] ysabetwordsmith
Cry me a river, bitches.

I agree that it is a clever and wicked virus, but I have no sympathy for Russia. Who lives by the hack, dies by the hack.

Re: Well ...

Date: 2022-12-18 03:47 pm (UTC)
thewayne: (Default)
From: [personal profile] thewayne

No sympathy here, either.  The collective they have unleashed so much computer violence upon the world with the passive, if not active, permission of Putin that they certainly deserve what they are getting now.

  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

thewayne: (Default)
The Wayne
Spare Brains Games

July 2025

S M T W T F S
   1 2345
67891011 12
13 1415 1617 18 19
2021 22 23242526
2728293031  

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 29th, 2025 07:40 pm
Powered by Dreamwidth Studios