Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CryPy Ransomware Uses Unique Key for Each File

A newly observed ransomware family that was written in Python fetches a unique key for each of the victim’s files before encryption, Kaspersky researchers warn.

A newly observed ransomware family that was written in Python fetches a unique key for each of the victim’s files before encryption, Kaspersky researchers warn.

Dubbed CryPy, this is not the first ransomware to be written in Python, with threats such as HolyCrypt, Fs0ciety Locker, and others observed before. However, it does stand out because of its use of unique keys for the encrypted files and because it abuses a compromised Israeli server for command and control (C&C) communication.

A flaw in the Magento content management system allowed attackers to upload a PHP shell script and additional files to allow them use the compromised server as the ransomware’s C&C. Furthermore, they leveraged the server for phishing attacks, and researchers suggest that a Hebrew-speaking threat actor was behind these attacks.

The ransomware’s Python executable is comprised of two main files, one called boot_common.py, and another called encryptor.py. Kaspersky’s security researchers explain that, while the first is responsible for error-logging on Windows platforms, the second is the actual locker.

During analysis, the researchers discovered that the malware wasn’t encrypting the files on the target computer, supposedly because the threat actor migrated to a new server. In the process, researchers say, they might have “deleted the remaining traces of the PHP files they used for data collection from a victim’s machine.”

On the compromised machines, the ransomware would disable a series of features by overwriting the registry policies, including Registry Tools, Task Manager, CMD and Run. Next, it disables recovery and moves to ignore boot status policy.

CryPy was observed sending data to the C&C server over an unencrypted HTTP channel in clear-text, thus allowing for easy traffic inspection. The ransomware’s Python code contains hardcoded calls to PHP scripts on the C&C server, in the form of a GET request.

Among the information transmitted between the malware and the C&C, researchers found system, node, release, version, machine and processor information (all encoded with Base64), an IP address, and the victim’s unique ID to request their decryption keys after payment.

The security researchers explain that the malware sends the file name and victim ID to the server, which responds with a unique key after encryption (which will be appended to the file’s header), and a new filename. By generating a unique token for each file, researchers explain, the attackers can provide victims with the possibility to decrypt a couple of files for free, which would supposedly demonstrate trust and integrity.

Related: DXXD Ransomware Encrypts Files on Unmapped Network Shares

Related: Cerber 4.0 Fuels New Wave of Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.