Kaspersky Finds a New Trojan Called CryWiper, What Is It?

The file modified by CryWiper cannot be returned to its original state (photo: Kaspersky)

JAKARTA - Kaspersky experts discovered a new Trojan attack, named CryWiper. This malware is an eraser (wiper), where files modified by CryWiper cannot be restored to their original state forever.

So, if you see a note asking for a ransom and the file has a .CRY extension, do not rush to pay the ransom, because it will be a waste.

Kaspersky experts believe that the main goal of attackers is not financial gain, but data destruction. Files are not really encrypted otherwise, the Trojan overwrites them with randomly generated data.

What CryWiper is after

The Trojan will corrupt any data including those that are not essential for the functionality of the operating system. This malware will not affect files with .exe, .dll, .lnk, .sys or .msi extensions. The malware focuses on databases, archives and user documents.

So far, Kaspersky experts have only seen attacks targeting Russia. However, no one can guarantee that this malware will not be targeted to other people.

How the CryWiper Trojan works

Apart from directly overwriting the file contents with trash, CryWiper also does the following:

• Create a task that restarts deletion every five minutes using Task Scheduler;
• Sends the name of the infected computer to the C&C server and waits for commands to start the attack;
• Kills processes associated with: MySQL and MS SQL database servers, MSExchange mail servers, and MS Active Directory web services
• Deletes shadow copies of files so they cannot be recovered
• Disables connection to the affected system via the RDP (remote desktop protocol) remote access protocol.