CryWiper is a Windows-based Trojan masquerading as ransomware that secretly destroys data instead of encrypting it. It uses stealthy techniques like scheduled tasks, C2 communication, registry timing, and targeted file deletion to complicate incident response and data recovery. #CryWiper #IsaacWiper
Keypoints
- CryWiper is a 64-bit Windows Trojan written in C++ and built with MinGW-w64, masquerading as ransomware but designed to destroy data.
- It creates a Task Scheduler task to run every 5 minutes to persist execution.
- The malware contacts a C2 server via HTTP GET, sending the infected host name to receive control commands.
- It uses a registry entry to time and control delayed execution and checks the C2 response to decide whether to run or exit.
- On command, it stops certain database and directory services, deletes shadow copies, and prevents remote access via RDP to hinder incident response.
- CryWiper overwrites user files with data generated by the Mersenne Twister RNG, and appends a .CRY extension, effectively destroying content.
- Despite presenting ransom notes, the threat actor cannot restore data; the campaign highlights why paying ransoms does not guarantee recovery.
MITRE Techniques
- [T1036] Masquerading – CryWiper masquerades as a ransomware program and stores a ransom note in README.txt. Quote: ‘CryWiper masquerades as a ransomware and stores a ransom note in README.txt.’
- [T1053.005] Scheduled Task – CryWiper creates a Task Scheduler task to run its own file every 5 minutes. Quote: ‘creates a task in Task Scheduler to run its own file every 5 minutes.’
- [T1071.001] Web Protocols – CryWiper communicates with its C2 using an HTTP GET request and passes the infected computer name as a parameter. Quote: ‘the trojan communicates with its C2 using an HTTP GET request and passes the infected computer name as a parameter.’
- [T1112] Modify Registry – CryWiper saves the current time in the registry (HKCUSoftwareSysinternalsBrowserUpdateTimestamp) immediately before checking the server’s response. Quote: ‘CryWiper saves the current time in the registry (HKCUSoftwareSysinternalsBrowserUpdateTimestamp) immediately before checking the server’s response.’
- [T1562.001] Impair Defenses – CryWiper sets this value to 1, which denies access via RDP. Quote: ‘CryWiper sets this value to 1, which denies access via RDP.’
- [T1485] Data Destruction – CryWiper generates a sequence of data using the Mersenne Twister RNG and writes this data in place of the original file content. Quote: ‘CryWiper generates a sequence of data using the well-known Mersenne Twister pseudo-random number generator and writes this data instead of the original content of the file.’
- [T1485] Data Destruction – It also deletes shadow copies to hinder recovery (vssadmin delete shadows /for=c: /all). Quote: ‘deletes shadow copies of files using the command vssadmin delete shadows /for=c: /all.’
Indicators of Compromise
- [Hash] CryWiper malware hash – 14808919a8c40ccada6fb056b7fd7373
- [File] Infected sample path – c:windowssystem32browserupdate.exe
- [URL] Command and Control server – hxxp://82.221.141.8/IYJHNkmy3XNZ
Read more: https://securelist.ru/novyj-troyanec-crywiper/106114/