CryPy ransomware uses a unique Key for each encrypted file

Experts from Kaspersky have spotted a new threat in the wild written in Python, the CryPy ransomware that uses a unique key for each.

Researcher newly founded “CryPy “ Ransomware written in python has surprised Israeli server for command and control (C&C) communication. In past, we have other ransomware written in python like Zimbra, HolyCrypt, and Fs0ciety Locker but CryPy Ransomware can encrypt each file separately with a unique key.

“boot_common.py and encryptor.py” are two python executable files included in the CryPy Ransomware which are mainly responsible for error-logging on Windows platforms and encryption respectively.

“This Python executable comprises two main files. One is called boot_common.py and the otherencryptor.py. The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server.” reads a blog post published by Kaspersky. “The C&C is hidden behind a compromised web server located in Israel. “

What about the attack chain related to this specific threat?

Bad actors compromised an Israeli server that was vulnerable to a well-known “Magento” vulnerability which allows attacker to upload a PHP shell script and additional files to transfer data in clear text format to the serve. The flaw could also be exploited to help attackers to carry out man in middle attack.

Surprisingly, the server was also used by attackers for phishing attacks through Paypal phishing pages. Researcher says Hebrew-speaking was behind these attacks.

“A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages. There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks.” continues the analysis published by Kaspersky. “The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management.

“It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March.”

According to researchers, when crypy sends the file name and victim ID to the server, it receives in response a unique key after encryption get generate along with new filename. Thereafter, generated unique key helps attackers to provide victims to decrypt files for free to maintain integrity and trust.

If you are interested in the IoC for CryPy ransomware give a look at the Kaspersky report.

Written by: Sumit Kumar

Cyber security researcher

MS cyber security , Qualys Certified Specialist, CEHv8, ISO 27001

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CryPy ransomware, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.