Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CryPy Ransomware Uses Unique Key for Each File

A newly observed ransomware family that was written in Python fetches a unique key for each of the victim’s files before encryption, Kaspersky researchers warn.

A newly observed ransomware family that was written in Python fetches a unique key for each of the victim’s files before encryption, Kaspersky researchers warn.

Dubbed CryPy, this is not the first ransomware to be written in Python, with threats such as HolyCrypt, Fs0ciety Locker, and others observed before. However, it does stand out because of its use of unique keys for the encrypted files and because it abuses a compromised Israeli server for command and control (C&C) communication.

A flaw in the Magento content management system allowed attackers to upload a PHP shell script and additional files to allow them use the compromised server as the ransomware’s C&C. Furthermore, they leveraged the server for phishing attacks, and researchers suggest that a Hebrew-speaking threat actor was behind these attacks.

The ransomware’s Python executable is comprised of two main files, one called boot_common.py, and another called encryptor.py. Kaspersky’s security researchers explain that, while the first is responsible for error-logging on Windows platforms, the second is the actual locker.

During analysis, the researchers discovered that the malware wasn’t encrypting the files on the target computer, supposedly because the threat actor migrated to a new server. In the process, researchers say, they might have “deleted the remaining traces of the PHP files they used for data collection from a victim’s machine.”

On the compromised machines, the ransomware would disable a series of features by overwriting the registry policies, including Registry Tools, Task Manager, CMD and Run. Next, it disables recovery and moves to ignore boot status policy.

CryPy was observed sending data to the C&C server over an unencrypted HTTP channel in clear-text, thus allowing for easy traffic inspection. The ransomware’s Python code contains hardcoded calls to PHP scripts on the C&C server, in the form of a GET request.

Among the information transmitted between the malware and the C&C, researchers found system, node, release, version, machine and processor information (all encoded with Base64), an IP address, and the victim’s unique ID to request their decryption keys after payment.

Advertisement. Scroll to continue reading.

The security researchers explain that the malware sends the file name and victim ID to the server, which responds with a unique key after encryption (which will be appended to the file’s header), and a new filename. By generating a unique token for each file, researchers explain, the attackers can provide victims with the possibility to decrypt a couple of files for free, which would supposedly demonstrate trust and integrity.

Related: DXXD Ransomware Encrypts Files on Unmapped Network Shares

Related: Cerber 4.0 Fuels New Wave of Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.