When a new malware is soon-to-be-released, the developers unknowingly give the security researchers an opportunity to follow its progress from the beginning and foresee if the treat will eventually be. This is the exact case of the newly-found HolyCrypt ransomware which was recently detected by the AVG security researcher Jakub Kroustek.
According to security researchers, for coding the HolyCrypt is used an unusual for the typical ransomware language, called Python. It uses AES encryption and is assembled in an EXE file with the help of Pylnstaller utility which PWOBot keylogger and Bitcoin mining malware were also based on.
HolyCrypt operates in a basic way by encrypting victims` files with a password. This is a mechanism security researchers like AVG’s Kroustek, Emisoft’s Fabian Wosar, or Michael Gillespie, have been able to deal with in the past.
While analyzing the sample Kroustek discovered that the ransomware targeted only twenty files which is a very poor number for any ransomware family. However, it was an important evidence that HolyCrypt was still a work-in-progress. He also found out the password needed for the decryption process was “test”. If infected, your desktop wallpaper will be changed with a new one with the following message:
“YOUR COMPUTER HAS BEEN LOCKED!
Your documents, photos, databases and other important files have been locked with strongest encryption and unique key, generated for this computer. Private decryption key is stored in a secret internet server and nobody can decrypt your files until you pay and obtain the private key.
The server will eliminate the key after 24h.
Open http://test_ransomware.onion.link and follow the instructions of the payment “
Obviously the link where victims are supposed to go to complete the payment is a phoney one. Another evidence that the cybercriminals behind HolyCrypt have not completely finished with their job yet.
As for the ransomware distribution, Kroustek stated that the developers are using the classic double extension trick, hiding it as a PDF file named ReportXYZ.pdf.exe.
“Although, I’m not sure why someone distributes such work-in-progress,” the AVG researcher adds.
The latest versions of HolyCrypt add “encrypted” at the beginning of the names of all encrypted files. If you see the wallpaper with the warning message, then google “HolyCrypt decrypter” to check if the security researchers have found a way to crack it.