CryWiper Data Wiper Targeting Russian Sites

Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks.

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

Nothing leading to an attribution.

News article.

Slashdot thread.

Tags: , , ,

Posted on December 6, 2022 at 7:04 AM13 Comments

Comments

Jan Doggen December 6, 2022 11:07 AM

Dilemma. On the one hand, malware is simply bad, and innocent people may be hit by the consequences, but OTOH given the atrocities of Russia in Ukraine (and earlier, in other countries) I’m tempted to think ‘Hit Russia with everything available’ until they pull out.

Clive Robinson December 6, 2022 11:34 AM

@ Bruce, ALL,

There is a bit of a contoversy comming out over this to do with the Random Number Generator CryWiper uses.

It’s refered to as the “Mersenne Vortex”, not “Mersenne Twister” and it’s claimed it’s usage is somehow both unusual thus indicative enough for “attribution”.

From the ARS article,

“The name of the algorithm is the Mersenne Vortex PRNG. The algorithm is rarely used, so the commonality stuck out.”

Howrver a little search on “Mersenne Vortex” indicates the algorithm is in the standard librarirs from C++11 onwards. It’s also in GCC, and many other “standard libraries”.

Now some may wonder if the algorithms are somehow different as they have slightly different names?

Simple answer is we don’t know…

The original Mersenne Twister algorithm was found to have some deficiencies thus got a couple of little upgrades but people followed habit with names, so yes there is more than one Mersenne Twister algorithm…

So unless someone who actually has the CryWiper code digging out the PRNG via debug/reverse_engineer etc and checking, I guess we will have to wait and see.

&ers December 6, 2022 12:08 PM

I don’t understand why on earth should anyone quote
Kaspersky labs “findings” here?
Their ties to Russian govt and govt agencies has been proved.

hxxps://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html

Just ignoring them is the best we can do. Anything they say is biased.

Ray Dillinger December 6, 2022 12:21 PM

‘Mersenne Vortex’ in the Linux libraries is a correction of some perceived flaws with the Mersenne Twister. I don’t remember exactly what flaws. Nor have I a copy of this malware to dig through and see which binary matches.

That said, I dispute the claim that Mersenne Vortex is sufficiently uncommon to base attribution on. As Clive pointed out, standard libraries on a couple of standard platforms puts it well in the range of common tools.

Based on no special evidence beyond the daily news, however, I would suspect a Ukrainian, a member of the Ukrainian Diaspora, or Ukrainian sympathizer, likely acting without the knowledge or approval of any government.

There’s also a chance that it’s an act of cyber warfare undertaken specifically by the Ukrainian government.

And the latter case is in very murky territory as far as whether or not to condemn it.

On one hand, it’s clearly targeted at Russia, and with reasonable care to prevent damage in other countries. That makes it quasi-legitimate as an act of war.

On the other hand, it’s not specifically deployed against military targets; it’s much more general, and closer to being an attack on general infrastructure. And that makes it less legitimate as an act of war.

And on one foot, it’s targeted against the infrastructure of a nation that has routinely been committing atrocities against civilians and war crimes against the general infrastructure of Ukraine, so it’s turnabout. Which is not really okay under the Geneva Suggestions, but as long as Ukraine’s civilian population is manifestly suffering more under Russian attacks than any discomfort this brings to Russians, I don’t think I’d condemn it.

And on the other foot, it releases malware with a damaging payload out into the wild where in the hands of crooks and miscreants it will most assuredly be used in many other ways, most of which have nothing to do with any war whether the military use can be justified or not. So beyond being an immediate attack on Russia, it becomes a secondary attack against the general infrastructure of the world at large. And that’s not okay.

All told? Complicated. If it’s an act of war then it’s not one that would comply with the Geneva Convention. But considering the enormous scale of war crimes of the nation it’s being used against, and the fact that any damage it may do is drastically smaller than the damage Ukraine has suffered, and its likely short-term effect until the bugs it exploits are fixed, I am not terribly upset by its use.

Andy December 6, 2022 1:05 PM

@Jan Doggen be careful what you’re wishing for. The virus is not hitting Russian military, just any computer in Russia… It may be holding your bank account, medication, and more

Clive Robinson December 6, 2022 4:46 PM

@ Andy, Ray Dillinger, Jan Doggen,

Re : Who benifits the most?

“The virus is not hitting Russian military, just any computer in Russia… “

Actually not “any computer in Russia” either.

It appears fairly “tightly focussed” on certain “administrative” locations and functions.

At first I thought it might be Putin and friends “cleaning up” their activities. That is get rid of “local records” then only “central records” they control are available / authoritative.

But then I was given some further information by a neighbour who has “escaped Russia” but still has family there.

They pointed out that these are the locations where all “local records” of people are kept. That is entire lists of the local population not just for “tax” purposes but civil “registration” purposes like births, marriages, deaths, dwellings, pensions, medical, etc as well as being for the issuing of “papers”. Apparently to avoid certain issues the system is decentralised to a point that some registration is not even held by municiple authorities but agencies of central authorities and the staff of those authorities are given “accommodation addresses” like the old KGB Junior Officers housing / barracks.

The other thing I was told is that Putin is now nolonger drafting nationally but regionally. That is local regions are given a quota to fill, and not only have to find the bodies, but equipe them as well. Apparently to “hide” or “limit” the “bad news” of just how badly things are going.

So the question about these attacks is,

“Who benifits the most?”

After a little thinking you realise it’s the young semi-afluent, with skills Russian’s who would otherwise get drafted. Who if they can get out of Russian can make themselves usefull in new countries.

It also alows certain other people to “profit” from issuing genuine documents with false information in them, which are kind of the “gold standard” of “papers” for those who wish to escape away from authorities.

So destroy those Court and Town Hall lists then pulling in “new conscripts” becomes difficult and those who wish to not be drafted can more easily “slip away” with either genuine or fake “papers” as checking them becomes harder for authorities to do.

We know the people who most want to desperately escape Russia, are those young Russians who are sufficiently skilled to develop such malware. Some know that because of their “past” being “covered” by Putin that they are a potential embarrassment to Putin and others who have got their hands dirty. An embarrassment that would disappear if they conveniently died as “Hero’s” in the Ukrainian on the “Dead men don’t talk” policy.

We also may have good reason to think Putin is already “cleaning house”… As has been pointed out in some European MSM there have been a number of “sudden unexpected deaths” outside of Russia with people connected to crypto-coin business that Putin and friends have also been involved with.

As I’ve pointed out in the past, the UK Russian community have a list of over twenty unexplained and untimely deaths of wealthy Russian’s who opposed Putin in one way or another and got out of Russia to the UK. The UK police Forces under then Home Office Minister and later short lived Prime Minister Theresa May concluded without any investigation that strange as the deaths were they were all accidents… Untill rare expensive and effectively exotic poisons such as radio active elements and nerve agents were used…

So I would not rule out that it may not be an act of “international war” but in fact is an act of “civil war” etc.

Winter December 7, 2022 1:37 AM

@Clive

We also may have good reason to think Putin is already “cleaning house”…

Maybe that is too much credit for Putin as a mastermind.

I have seen credible explanations that this is the result of fighting over a shrinking pie.

The sanctions bite, and Putin’s robber barons are fighting over the remaining money streams. Those that sit at the faucets of the streams and direct where the stream is going are targeted by those who fight over that particular money source.

Putin might not care who wins, as long as they do not interfere with his position. The murders do solve the problem of the people that have to be let go in the rightsizing of the klepto-economy. People who lose their income might harbor resentments which could become a liability. The selection process also lets the more “useful” people come out on top.

Winter December 7, 2022 3:57 AM

@Clive

So destroy those Court and Town Hall lists then pulling in “new conscripts” becomes difficult and those who wish to not be drafted can more easily “slip away” with either genuine or fake “papers” as checking them becomes harder for authorities to do.

There are indeed quite a number of comments in news sections that this might indeed be the aim of the malware. Note that the people working in the offices that are attacked might be sympathetic to blocking the draft with plausible deniability. There is quite a lot of resentment against the draft targeting ethnic minorities.

Winter December 7, 2022 6:46 AM

@piglet

Huh? The wipers masquerade as ransomware because ransomware is so popular?

Diversion tactics. You look in different places for ransomware authors than for non-criminals-fo-profit.

Clive Robinson December 7, 2022 7:11 AM

@ Winter,

Re : Cleaning House

“Maybe that is too much credit for Putin as a mastermind.

I have seen credible explanations that this is the result of fighting over a shrinking pie.”

Either way it’s to Putin’s advantage with less mouths to feed and like wise less a’souls later crapping on his floor.

Sooner or later someone will realise the way to stop the problem is as with eating boild eggs, “lop the top off and dig in”.

So will Putin go “Bunker Crazy” or “never sleep the same place twice”.

I suspect that there are more interesting ways than direct physical action. As has been observed in the past in UK Politics about a certain PM recently ousted,

“If you suround yourself with old women, perhaps it’s best to remember that for women the weapon of choice is poison in the ear[1].”

I’m sure Putin is aware of the Stalin – Tito assassination story. It’s been said that Stalin sent atleast five seperate assassins to kill Tito but Tito not only caught them all, he sent Stalin a letter telling him this and if Stalin did not stop Tito would send an assasin to Moscow and he would only need to send one. A further part to the story is that this is what Tito eventually did and Stalin was poisoned in his sleep by Tito’s assasin…

The wheel of history turns and oft appears to repeate…

[1] It’ a refrence to William Shakespeare’s Hamlet where Hamlet dreams his father the King is poisoned in his sleep by poison dripped in his ear. This is often used as a metaphor for “chinese whispers”.

Winter December 7, 2022 8:26 AM

@Clive

So will Putin go “Bunker Crazy” or “never sleep the same place twice”.

With so much blood at your hands, and so many living enemies, that is not unlikely.

I would be surprised if there are not half a dozen doubles to be his decoys. Stalin, Sadam, and Castro had them, Kim Jong-un has them. Putin will surely have them.

It is not exceptional for tyrants to become bunker crazy.

The first Emperor of China was very secretive about which palace he was staying at any one time. The story goes that he once looked out of the window at an ariving official and made a remark about his atire. When he then saw the official had changed it according to his remarks, the Emperor had everyone present that day killed.

Clive Robinson December 7, 2022 11:20 AM

@ Winter,

Re : First Emperor.

“When he then saw the official had changed it according to his remarks, the Emperor had everyone present that day killed.”

And so “The Fashion Police” were created[1]…

From memory he was disatisfied with being called “King” so actually created the title of “Emperor” so was not just “The first Emperor of China” but anywhere… Oh and the creator of the first man made object that can be seen in space and from the moon we know as “The great wall of China”. Less well known is that his burial site at 20 square miles would also have been visable at those distances.

Supposadly he lifted China out of a bleak agrarian culture of slavery, serfdom and waring clans to the first of the great dynasties, defining a political and legal model that though decryed by subsequent dynasties was all followed by them.

However he is said by later Confusionist scholars to have had a very dark side, be an illigitamate inheritor and much more. Also that he buried four hundred or so Confussion scholars alive after tourturing them, ostensibly for their backstabing and badmouthing behaviours. Modern scholars tend to view it as a case of “The survivor writes the history books” and discount much of it accordingly.

Some years ago I had the opportunity not just to see but actually hold –through laytex gloves– a part of one of his “eternal soldiers” made of terracotta. If you stand alone with them in a quiet room it’s rather more than eerie.

Oh and it’s also said that his search for immortality through alchemy may have been the reason gunpowder was discovered[2] such was his influance down the centuries.

[1] Sorry there is some dark knarly piece of my soul which uses humour and satire to relieve the stress of the horrors of what others do…

[2] According to story / legend gunpowder was the result of trying to combine crystals that grew out of rubbish heaps that had meat preserving ability[3] and another well known food preservative honey. Contrary to what people are told sulfer is not required to make “black powder” but it does stabalise it’s burn etc.

[3] Much later European books tell of soaking used animal and human beding (mainly straw) with “night water” (urine) and alowing it to ferment for half a year or so. Then washing it and alowing the liquid to evaporate leaving impure crystals of saltpeter. Other recipies included “potash” that was also used as a base for making what we would call hard laundry soap. You can read one way to make it,

https://www.survival-manual.com/saltpeter.php

But remember it’s also known as “stump remover” and if you injest it it tends to thin your blood, making you more likely to bleed.

Winter December 7, 2022 1:03 PM

@Clive

Also that he buried four hundred or so Confussion scholars alive after tourturing them, ostensibly for their backstabing and badmouthing behaviours.

His state philosophy was legalism: Laws preempt everything else. Confusianism disagrees, and hence it was outlawed. All Confusianist books were destroyed. Anyone found hiding books was buried alive.

The current works of Confusianism were largely reconstructed from memory.

The first Emperor was a tyrant of the statue of Mao or Stalin.

Oh and it’s also said that his search for immortality through alchemy may have been the reason gunpowder was discovered[2] such was his influance down the centuries.

He is said to have killed himself trying out a self formulated elixer of life.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.