Security researchers at Kaspersky have discovered a previously unknown malware named CryWiper masquerading as ransomware, but it is actually a data wiper that wipes data beyond recovery in its attacks, targeting Russian mayor's offices and courts. In a report shared by Russian media, the malware was found to have been used against municipal offices and courts in Russia. According to the code analysis, the data-wiping function of CryWiper is not a mistake but was intentionally created to destroy the data of targets. The CryWiper data wiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, which is configured to abuse many WinAPI function calls. As soon as it is executed, it creates scheduled tasks to run every five minutes on the compromised system. Later, it communicates with a command-and-control server (C2) which decides whether to keep the wiper alive or inactive by responding with a "run" or "do not run" command. In some cases, Kaspersky reports that the execution of the malware is delayed by at least four days (345,600 seconds), which likely indicates that it is incorporated into the code for the purpose of confusing the victim as to what caused the infection. Also, the CryWiper will stop critical processes related to MySQL, Microsoft SQL, Microsoft Exchange, and Microsoft Active Directory. Moreover, CryWiper disables RDP connections to prevent remote IT specialists from intervening and responding to incidents remotely, potentially making it impossible to restore the files that have been deleted. A malware program also deletes shadow copies to prevent the easy restoration of wiped files. Lastly, the wiper will corrupt all enumerated files except ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while skipping the System, Windows, and Boot directories to prevent making the computer useless. The algorithm used for corrupting the files is based on "Mersenne Twister," a pseudorandom number generator, which is the same algorithm used by IsaacWiper. As a result, CryWiper generates a ransom note named 'README.txt.' It asks for 0.5 Bitcoin (about $8,000) in exchange for a decryptor. Unfortunately, this is a false notice, since the corrupted data is irrecoverable. However, CryWiper has the potential to cause severe data destruction and business interruption even though it isn't ransomware in the traditional sense. The wiper CryWiper does not appear associated with any of the emerging wiper families in 2022, such as IsaacWiper, DoubleZero, CaddyWiper, HermeticWiper, WhisperGate, AcidRain, and Industroyer2.