Ransomware - CryWiper

CryWiper
Decryptor Available
No
Description

CryWiper, as the name suggests, is a wiper, but one that also masquerades as ransomware.  Kaspersky researchers found it on Russian government networks in late 2022. It is commonly referred to as a retaliatory wiper because it is assumed its a response to the wave of ransomware and wiper malware aimed at Ukrainian organizations at the onset of the Ukraine-Russia conflict, and continuing thereafter.

CryWiper acts similar to a wiper used against Ukraine in early 2022 called IsaacWiper - misnamed by ESET researchers who initially thought the wiper algorithm used the ISAAC algorithm, but corrected it to Mersenne Twister. CryWiper also uses the Mersenne Twister algorithm in its wiping operations. The malware also drops a ransom note that contains a real Bitcoin address, but sending any payment won't result in a decryption key. Furthermore, no encryption occurs, the system is simply destroyed beyond repair. The pseudo-extortion amount is 0.5 BTC, which, at the time of discovery, was around $8,000.

Ransomware Type
Wiper
First Seen
Last Seen
Extortion Types
Pseudo-Extortion
Extortion Amounts
Amount
0.5BTC($8,000)
Communication
Mittel
Bezeichner
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
bc1qdr90p815jwen4ymew17276z45rpzfhm70x0rfd
File Extension
<file name>.CRY
Ransom Note Name
README.txt
Ransom Note Image
Samples (SHA-256)
bdf8b53d73ca1ed1b649b32a61608b2cf952397ef3d5fc2e6e9f41ad98c40110