A newly observed ransomware family that was written in Python fetches a unique key for each of the victim’s files before encryption, Kaspersky researchers warn.
Dubbed CryPy, this is not the first ransomware to be written in Python, with threats such as HolyCrypt, Fs0ciety Locker, and others observed before. However, it does stand out because of its use of unique keys for the encrypted files and because it abuses a compromised Israeli server for command and control (C&C) communication.
A flaw in the Magento content management system allowed attackers to upload a PHP shell script and additional files to allow them use the compromised server as the ransomware’s C&C. Furthermore, they leveraged the server for phishing attacks, and researchers suggest that a Hebrew-speaking threat actor was behind these attacks.
The ransomware’s Python executable is comprised of two main files, one called boot_common.py, and another called encryptor.py. Kaspersky’s security researchers explain that, while the first is responsible for error-logging on Windows platforms, the second is the actual locker.
During analysis, the researchers discovered that the malware wasn’t encrypting the files on the target computer, supposedly because the threat actor migrated to a new server. In the process, researchers say, they might have “deleted the remaining traces of the PHP files they used for data collection from a victim’s machine.”
On the compromised machines, the ransomware would disable a series of features by overwriting the registry policies, including Registry Tools, Task Manager, CMD and Run. Next, it disables recovery and moves to ignore boot status policy.
CryPy was observed sending data to the C&C server over an unencrypted HTTP channel in clear-text, thus allowing for easy traffic inspection. The ransomware’s Python code contains hardcoded calls to PHP scripts on the C&C server, in the form of a GET request.
Among the information transmitted between the malware and the C&C, researchers found system, node, release, version, machine and processor information (all encoded with Base64), an IP address, and the victim’s unique ID to request their decryption keys after payment.
The security researchers explain that the malware sends the file name and victim ID to the server, which responds with a unique key after encryption (which will be appended to the file’s header), and a new filename. By generating a unique token for each file, researchers explain, the attackers can provide victims with the possibility to decrypt a couple of files for free, which would supposedly demonstrate trust and integrity.