CryPy Ransomware Creates a Different Decryption Key for Each Locked File

Kaspersky researchers alarm of a newly-found ransomware piece, called CryPy, which creates a unique key for each one of the victims` encrypted files.

CryPy, similar to other threats, including Fs0ciety Locker and HolyCrypt, is written in Python but it does have features which the others don’t. First, the above-mention use of different keys for each locked file and, second, the use of a compromised Israeli server for its own Command-and-Control server.

The CryPy crooks managed to use the compromised server as their own by uploading a PHP shell script and additional files thanks to a flaw in the Magento content management system. Moreover, they used the abused server for phishing attacks, which, researchers think, are the work of a Hebrew-speaking cybercriminal.

CryPy`s Python executable consists of two files – “boot_common.py”, which is responsible for error-logging on Windows platforms, and “encryptor.py”, which is the actual locker.

While analyzing, the experts found out that CryPy wasn’t locking any data on the targeted PC, probably because the author of the attack has moved on to another server. However, the researcher did say that they have “deleted the remaining traces of the PHP files they used for data collection from a victim’s machine.”

Once having infected a computer, the CryPy ransomware starts disabling certain features, such as Registry Tools, Task Manager, CMD and Run, by overwriting the registry policy. After that, the threat disables recovery and goes to ignore boot status policy.

The analysts discovered that CryPy is transferring data to its C&C over an unencrypted HTTP channel in clear-text, which make the traffic inspection much easier. The Python code of the ransomware contains calls to PHP scripts on the C&C, which are in a GET request form.

The information sent by the ransomware to its C&C included node, system, release, machine and processor information (all encoded with Base64), version, and an IP, researcher found. Also, it included the unique ID of the victims, which they need in order to ask for their decryption key after they have paid.

According to security experts, CryPy sends the file name and the victim ID to the C&C, which, as a response, sends a new filename and a unique key after encryption. By creating a different key for each encrypted file, the crooks are able to give the victims the opportunity to unlock a few files for free. All this is an attempt to demonstrate that the keys are actually working and that, it the victims pay, the crooks will keep their end of the deal as well.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.