Ransomware

Data wipers cleaned up in 2022

Back up data, change passwords, and educate, say researchers.
article cover

The Late Show with Stephen Colbert/CBS via Giphy

· 4 min read

What’s worse than ransomware? Malware disguised as ransomware that will just delete your data anyways, that’s what.

Take “CryWiper,” a Trojan reported by the cybersecurity provider Kaspersky in December. CryWiper destroys files while storing ransom demands in a README.txt file. The catch (and presumably, the “cry” part) is that there’s nothing to decrypt.

“Our experts are confident that the main goal of the attackers is not financial gain, but destroying data. The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data,” said Kaspersky in a Dec. 2 post.

The motivation behind data-wiping differs from ransomware—the big difference being money—but the defense recommendations are about the same: have backups, change passwords, and educate end-users, to name a few.

“Technically, you could treat ransomware as a data wiper…because if you don’t pay, you don’t get it back either,” said Candid Wüest, VP of cyber protection research at the software company Acronis.

Wipers are on. In addition to CryWiper, a number of data wiper attacks were reported in December 2022:

While ransomware is about the money, a data wiper’s motives are perhaps more about ruining reputation.

“It all boils down from economic impact to the company,” said Adam Burgher, senior threat intelligence analyst at ESET, citing Fantasy’s targeting of an Israel-based software developer.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Or maybe the drivers are, depressingly, just plain destruction.

“One is using the wiper in a place where he wants to make damage, [to] just watch the world burn,” said Jiří Vinopal, threat researcher at Check Point.

An April 2022 report from the cybersecurity company Fortinet saw an increase in wiper deployments as the war between Russian and Ukraine began. Fortinet cited various possible motives for the explosive malware, including destruction of evidence, sabotage, and cyberwar.

Cleanup work. Lucky for you (and your data), the defense strategies for ransomware also apply to data wipers:

  • First: have clean backups, said Wüest, and initiate a slow return of those backups to ensure the whole network doesn’t go down again, all at once. “If you restore all your email servers, maybe isolate them through firewalls,” Wüest told IT Brew.
  • In its post detailing CryWiper, Kaspersky recommended restricting remote access connections to infrastructure, and specifically blocking connections from public networks. (Remote Desktop Protocol is frequently used in ransomware attacks.)
  • In a November 2022 alert, the New Jersey Cybersecurity and Communications Integration Cell recommended educating users to refrain from downloading programs via unofficial websites—potential sources for Trojan-infused code.

And an often overlooked practice, according to Wüest: Change all passwords. “Specifically with wipers, you don’t really know what happened. So, there’s a high chance that someone might have stolen your local administrator or even your domain administrative accounts. And if you don’t change those, they will be back within a few days, said Wüest. “Or a few hours, if you’re unlucky.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected]

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.