Alex Bliss and Tiffany Williams
What is CryWiper?
A threatening new type of ransomware has emerged: CryWiper. Normal ransomware trojans spread across vulnerable networks, identifying and encrypting files, preventing their use unless a ransom is paid. The CryWiper ransomware follows the same script but has a devastating change at the finish. The files that are encrypted are actually destroyed by the malware.
CryWiper functions like normal ransomware in that it creates a task within an affected Windows host on a network that restarts itself, establishes a link to a command-and-control (C2) server and awaits the signal to start. Once the malware receives the signal to start, it shuts down database servers, mail servers and Active Directory services. It then begins deleting shadow copies of files on the file system and disables remote desktop protocol (RDP) services that allow remote connection to the host. Finally, it begins encrypting target files with a key but in a sinister twist, also overwrites portions of the target files with garbage data, so it appears as if the file still exists, but it is destroyed.
What is the risk of the CryWiper Ransomware?
Networks and systems infected by the CryWiper Ransomware are at risk of loss of electronic documents, personal data, business data and system databases. If those sources of information are not backed up, the data would be lost permanently with no chance for recovery.
What is affected by CryWiper Ransomware?
According to researchers at Kaspersky, CryWiper targets Windows systems and networks and targets any file that isn't required for system function such as .dll, .exe, .msi and .sys files. It encrypts all other files renaming them with a .cry extension. The observed instances of CryWiper only appear to target files on the host's C:\ drive, ignoring others for now.
How do you defend against CryWiper Ransomware?
The best way to prevent any issues relating to CryWiper or ransomware, in general, is to review and enhance your backup policies and procedures as well as your disaster recovery and business continuity plans. Careful design and testing of all of these policies, plans and procedures are critical to ensure the ability to weather a ransomware attack.
Additionally, ensuring that endpoint protection solutions with malware detection and prevention are deployed can help prevent malware before they cause damage. Also, deploying multifactor authentication in situations where users need external access to your network is highly recommended.
You can read more ransomware prevention strategies in this post from CISA.
Freed Maxick's cybersecurity team can provide expertise and guidance to your company to help intelligently enhance your defenses against modern cybersecurity threats through policy and procedure review as well as comprehensive network vulnerability assessments and penetration tests. Please reach out at email@example.com or 716.847.2651 if you have any questions or are interested in discussing further.