CryPy ransomware uses a unique Key for each encrypted file

Experts from Kaspersky have spotted a new threat in the wild written in Python, the CryPy ransomware that uses a unique key for each.

Researcher newly founded “CryPy “ Ransomware written in python has surprised Israeli server for command and control (C&C) communication. In past, we have other ransomware written in python like Zimbra, HolyCrypt, and Fs0ciety Locker but CryPy Ransomware can encrypt each file separately with a unique key.

“boot_common.py and encryptor.py” are two python executable files included in the CryPy Ransomware which are mainly responsible for error-logging on Windows platforms and encryption respectively.

“This Python executable comprises two main files. One is called boot_common.py and the otherencryptor.py. The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server.” reads a blog post published by Kaspersky. “The C&C is hidden behind a compromised web server located in Israel. “

What about the attack chain related to this specific threat?

Bad actors compromised an Israeli server that was vulnerable to a well-known “Magento” vulnerability which allows attacker to upload a PHP shell script and additional files to transfer data in clear text format to the serve. The flaw could also be exploited to help attackers to carry out man in middle attack.

Surprisingly, the server was also used by attackers for phishing attacks through Paypal phishing pages. Researcher says Hebrew-speaking was behind these attacks.

“A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages. There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks.” continues the analysis published by Kaspersky. “The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management.

“It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March.”

According to researchers, when crypy sends the file name and victim ID to the server, it receives in response a unique key after encryption get generate along with new filename. Thereafter, generated unique key helps attackers to provide victims to decrypt files for free to maintain integrity and trust.

If you are interested in the IoC for CryPy ransomware give a look at the Kaspersky report.

Written by: Sumit Kumar

Cyber security researcher

MS cyber security , Qualys Certified Specialist, CEHv8, ISO 27001

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CryPy ransomware, cybercrime)