CryWiper, as the name suggests, is a wiper, but one that also masquerades as ransomware. Kaspersky researchers found it on Russian government networks in late 2022. It is commonly referred to as a retaliatory wiper because it is assumed its a response to the wave of ransomware and wiper malware aimed at Ukrainian organizations at the onset of the Ukraine-Russia conflict, and continuing thereafter.
CryWiper acts similar to a wiper used against Ukraine in early 2022 called IsaacWiper - misnamed by ESET researchers who initially thought the wiper algorithm used the ISAAC algorithm, but corrected it to Mersenne Twister. CryWiper also uses the Mersenne Twister algorithm in its wiping operations. The malware also drops a ransom note that contains a real Bitcoin address, but sending any payment won't result in a decryption key. Furthermore, no encryption occurs, the system is simply destroyed beyond repair. The pseudo-extortion amount is 0.5 BTC, which, at the time of discovery, was around $8,000.
