Unprecedented malware is nuking data at Russian courts and mayors’ offices

[ad_1]

Unprecedented malware is nuking data at Russian courts and mayors' offices

The offices of Russia’s mayors and courts are under attack by unprecedented malware that pretends to be ransomware but is actually a wiper that permanently destroys data on an infected system, according to security firm Kaspersky and the Izvestia news service.

Kaspersky researchers named the wiper CryWiper, a reference to the .cry extension that gets attached to destroyed files. Kaspersky Says Her team witnessed the malware launch “target attacks” on targets in Russia. Izvestia, meanwhile, mentioned The targets are the offices of mayors and Russian courts. Additional details weren’t immediately known, including how many organizations were hit and whether the malware successfully wiped data.

Wiper malware has grown exponentially over the past decade. 2012, a doormat known as Shimon wreak havoc regarding Saudi Aramco and Qatar’s RasGas. Four years later, a new type of Shimon came back and struck Multiple organizations in Saudi Arabia. In 2017, a self-replicating malware called NotPetya spread around the world in a matter of hours and caused an estimated $10 billion in damage. In the past year, a wave of new spaces has emerged. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.

Kaspersky said it detected CryWiper attack attempts in the past few months. After infecting the target, the malware left a note demanding, according to Izvestia, 0.5 bitcoin including a wallet address where payment could be made.

Kaspersky

“After examining a sample of the malware, we discovered that this Trojan, although it disguises itself as a ransomware and extorts money from the victim in order to ‘decrypt’ the data, does not actually encrypt the data, but destroys the data in the affected system on purpose. “. advertiser. “Moreover, analysis of the Trojan’s code showed that this was not the developer’s fault, but its original intention.”

CryWiper bears some similarities to IsaacWiper, which targeted organizations in Ukraine. Both wipers use the same algorithm to generate pseudo-random numbers that corrupt the target files by overwriting the data inside them. The name of the algorithm is Mersenne Vortex PRNG. The algorithm is rarely used, so the commonality stuck.

Kaspersky

CryWiper shares separate commonalities with the Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent families of ransomware. Specifically, the email address in the ransom note for all three is the same.

The CryWiper sample analyzed by Kaspersky is a 64-bit executable file for Windows. It was written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. This is an unusual choice since it is more common for malware written in C++ to use Microsoft’s Visual Studio. One possible reason for this choice is that it gives developers the option to port their code to Linux. Given the number of specific calls CryWiper makes to the Windows programming interfaces, this cause seems unlikely. The most likely reason is that the developer writing the code was using a non-Windows machine.

Successful wiper attacks often take advantage of weak network security. Kaspersky advises network engineers to take precautions using:

  • Behavioral File Analysis Security Solutions for Endpoint Protection.
  • A managed detection, response and security operations center that allows timely detection of any breach and taking the necessary actions to respond.
  • Dynamic analysis of mail attachments and blocking of malicious files and URLs. This will make email attacks, one of the most common vectors, much more difficult.
  • Conducting penetration tests and RedTeam projects periodically. This will help identify vulnerabilities in the organization’s infrastructure, protect them, and thus significantly reduce the attack surface for hackers.
  • Threat data monitoring. To detect and block malicious activity in a timely manner, it is essential to have up-to-date information about the hackers’ tactics, tools, and infrastructure.

Given the Russian invasion of Ukraine and other geopolitical conflicts raging around the world, the pace of wiper malware is unlikely to slow in the coming months.

“In many cases, space and ransomware incidents are caused by insufficient network security, and attention should be paid to strengthening protection,” Kaspersky’s report released on Friday said. “We assume that the number of cyberattacks, including those using spaces, will increase, largely due to the unstable situation in the world.”

[ad_2]

Source link

Related Posts

Precaliga