Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?


Malware & Threats

CryPy Ransomware Uses Unique Key for Each File

A newly observed ransomware family that was written in Python fetches a unique key for each of the victim’s files before encryption, Kaspersky researchers warn.

A newly observed ransomware family that was written in Python fetches a unique key for each of the victim’s files before encryption, Kaspersky researchers warn.

Dubbed CryPy, this is not the first ransomware to be written in Python, with threats such as HolyCrypt, Fs0ciety Locker, and others observed before. However, it does stand out because of its use of unique keys for the encrypted files and because it abuses a compromised Israeli server for command and control (C&C) communication.

A flaw in the Magento content management system allowed attackers to upload a PHP shell script and additional files to allow them use the compromised server as the ransomware’s C&C. Furthermore, they leveraged the server for phishing attacks, and researchers suggest that a Hebrew-speaking threat actor was behind these attacks.

The ransomware’s Python executable is comprised of two main files, one called boot_common.py, and another called encryptor.py. Kaspersky’s security researchers explain that, while the first is responsible for error-logging on Windows platforms, the second is the actual locker.

During analysis, the researchers discovered that the malware wasn’t encrypting the files on the target computer, supposedly because the threat actor migrated to a new server. In the process, researchers say, they might have “deleted the remaining traces of the PHP files they used for data collection from a victim’s machine.”

On the compromised machines, the ransomware would disable a series of features by overwriting the registry policies, including Registry Tools, Task Manager, CMD and Run. Next, it disables recovery and moves to ignore boot status policy.

CryPy was observed sending data to the C&C server over an unencrypted HTTP channel in clear-text, thus allowing for easy traffic inspection. The ransomware’s Python code contains hardcoded calls to PHP scripts on the C&C server, in the form of a GET request.

Among the information transmitted between the malware and the C&C, researchers found system, node, release, version, machine and processor information (all encoded with Base64), an IP address, and the victim’s unique ID to request their decryption keys after payment.

Advertisement. Scroll to continue reading.

The security researchers explain that the malware sends the file name and victim ID to the server, which responds with a unique key after encryption (which will be appended to the file’s header), and a new filename. By generating a unique token for each file, researchers explain, the attackers can provide victims with the possibility to decrypt a couple of files for free, which would supposedly demonstrate trust and integrity.

Related: DXXD Ransomware Encrypts Files on Unmapped Network Shares

Related: Cerber 4.0 Fuels New Wave of Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights