{
	"id": "f524f911-104b-4568-b893-ffe474fc2779",
	"created_at": "2026-04-06T00:18:41.463327Z",
	"updated_at": "2026-04-10T13:11:59.775469Z",
	"deleted_at": null,
	"sha1_hash": "4865c5385d9cb95741441a1b162b8788041f4563",
	"title": "New CryWiper data wiper targets Russian courts, mayor\u0026rsquo;s offices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3553896,
	"plain_text": "New CryWiper data wiper targets Russian courts, mayor\u0026rsquo;s\r\noffices\r\nBy Bill Toulas\r\nPublished: 2022-12-02 · Archived: 2026-04-05 20:55:32 UTC\r\nA previously undocumented data wiper named CryWiper is masquerading as ransomware, but in reality, destroys data\r\nbeyond recovery in attacks against Russian mayor's offices and courts.\r\nCryWiper was first discovered by Kaspersky this fall, where they say the malware was used in an attack against a Russian\r\norganization.\r\n\"In the fall of 2022, our solutions detected attempts by a previously unknown Trojan, which we named CryWiper, to attack\r\nan organization's network in the Russian Federation,\" explains the new report by Kaspersky.\r\nhttps://www.bleepingcomputer.com/news/security/new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, a report by by Russian media says that the malware was used in attacks against Russian mayor's offices and\r\ncourts.\r\nAs the code analysis reveals, the data-wiping function of CryWiper isn't a mistake but a purposeful tactic to destroy targets'\r\ndata.\r\nWiping the victim's data\r\nCryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI\r\nfunction calls.\r\nUpon execution, it creates scheduled tasks to run every five minutes on the compromised machine.\r\nCreation of scheduled task (Kaspersky)\r\nNext, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a\r\n\"run\" or \"do not run\" command, determining whether the wiper will activate or stay dormant.\r\nKaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help\r\nconfuse the victim as to what caused the infection.\r\nCryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS\r\nActive Directory web services to free locked data for destruction.\r\nServices killed by CryWiper (Kaspersky)\r\nNext, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files.\r\nCryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident\r\nresponse from remote IT specialists.\r\nFinally, the wiper will corrupt all enumerated files except for \".exe\", \".dll\", \"lnk\", \".sys\", \".msi\", and its own \".CRY\", while\r\nalso skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable.\r\nThe algorithm for corrupting the files is based on \"Mersenne Twister,\" a pseudorandom number generator. This is the same\r\nalgorithm used by IsaacWiper, but the researchers established no further connection between the two families.\r\nAfter this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000)\r\nin exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.\r\nhttps://www.bleepingcomputer.com/news/security/new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices/\r\nPage 3 of 5\n\nRansom note generated by CryWiper (Kaspersky)\r\nEven though CryWiper is not ransomware in the typical sense, it can still cause severe data destruction and business\r\ninterruption.\r\nKaspersky says CryWiper does not seem to be associated with any wiper families emerging in 2022,\r\nlike DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, and Industroyer2.\r\nUpdate 11/2/2: Added further information about CryWiper targets (h/t Risky Biz).\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices/\r\nhttps://www.bleepingcomputer.com/news/security/new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices/"
	],
	"report_names": [
		"new-crywiper-data-wiper-targets-russian-courts-mayor-s-offices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434721,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4865c5385d9cb95741441a1b162b8788041f4563.pdf",
		"text": "https://archive.orkl.eu/4865c5385d9cb95741441a1b162b8788041f4563.txt",
		"img": "https://archive.orkl.eu/4865c5385d9cb95741441a1b162b8788041f4563.jpg"
	}
}