![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneIt's an interesting attack. Once infected, the malware sits there. It contacts a control server and asks permission to attack. When permission is granted, it goes into the Windows Registry and makes changes to prevent Remote Desktop from contacting the computer, so remote administrators can't get into the PC and try to stop the attack. Pretty clever move, that. Then it stops database services so that databases are available. Normally database services lock their databases so those files can't be wiped, stopping the services make them vulnerable.
THEN the wiper launches! It poses as a ransomware attack, launching a pseudo-random number generator, overwriting the files with gibberish and giving them a .cry extension, thus it is now known as the Cry Wiper. The random gibberish makes it look like the file is encrypted, but analysis of the code reveals that it's a random number generator, meaning that even if you pay the demanded 0.5 Bitcoin ransom, you're never getting anything back.
It's common in ransomware attacks to change the extension of the file so people can recognize that they've been compromised and the files are no longer what they were.
Another clever thing about this is that it automatically excludes program and system files: com, exe, dll, etc., so the computer will continue to run perfectly normally, but no data will survive. The articles that I've read don't mention if this will crawl across network shares or seek elevated access privileges, but they weren't very deep articles.
A similar program struck Ukraine earlier this year, probably launched by Russian hacker group(s).
No attribution to this attack has been found. Since no ransomware can be collected, even though a Bitcoin digital wallet is provided, that's probably a dead trail.
https://arstechnica.com/information-technology/2022/12/never-before-seen-malware-is-nuking-data-in-russias-courts-and-mayors-offices/
https://it.slashdot.org/story/22/12/03/0044234/new-crywiper-data-wiper-targets-russian-courts-mayors-offices
THEN the wiper launches! It poses as a ransomware attack, launching a pseudo-random number generator, overwriting the files with gibberish and giving them a .cry extension, thus it is now known as the Cry Wiper. The random gibberish makes it look like the file is encrypted, but analysis of the code reveals that it's a random number generator, meaning that even if you pay the demanded 0.5 Bitcoin ransom, you're never getting anything back.
It's common in ransomware attacks to change the extension of the file so people can recognize that they've been compromised and the files are no longer what they were.
Another clever thing about this is that it automatically excludes program and system files: com, exe, dll, etc., so the computer will continue to run perfectly normally, but no data will survive. The articles that I've read don't mention if this will crawl across network shares or seek elevated access privileges, but they weren't very deep articles.
A similar program struck Ukraine earlier this year, probably launched by Russian hacker group(s).
No attribution to this attack has been found. Since no ransomware can be collected, even though a Bitcoin digital wallet is provided, that's probably a dead trail.
https://arstechnica.com/information-technology/2022/12/never-before-seen-malware-is-nuking-data-in-russias-courts-and-mayors-offices/
https://it.slashdot.org/story/22/12/03/0044234/new-crywiper-data-wiper-targets-russian-courts-mayors-offices
