A new ransomware variant written in the Python language is currently out in the wild, and it seems to be stepping up its game against other crypto-malware out there.
Dubbed 'CryPy,' a combination of the words 'crypt' and 'Python', its programming language, stands out from the crowd by assigning a unique key to a single file that it encrypts on a victim's system, therefore making decryption a lot harder.
The malware was found in a security flaw in a content management system called Magento, which allowed perpetrators to utilize a PHP shell script to a vulnerable web server in Israel, which now acts as the Command & Control (C&C) server of the CryPy ransomware.
Moreover, the C&C server isn't used only for ransomware attacks; the server is also utilized to conduct phishing attacks, which are usually fake PayPal messages. It is believed that the malware developers are Hebrew-speaking.
CryPy is composed of two files, namely 'boot_common.py,' and 'encryptor.py.' The former is responsible for error-logging on the Windows platform, while the latter is the encryptor itself. Once a system has been infected, the ransomware disables Registry Tools, Task Manager, CMD, and Run, which are the usual features used to control and terminate malware. Soon after, it will start encrypting files.
Typical ransomware encrypts all files of a system, then assigns a unique key for it, so when the developers demand money from victims, they can track the infected system. However, CryPy makes it a lot more difficult for its prey by assigning a unique key for each file that it encrypts. Its ransom note reads:
"All your files are encrypted with strong chiphers [sic]. Decrypting of your files is only possible with the decryption program, which is on our secret server. Note that every 6 hours, a random file is permanently deleted. The faster you are, the less files you will lose. Also, in 96 hours, the key will be permanently deleted and there will be no way of recovering your files. To receive your decryption program contact one of the emails: 1. m4n14k@sigaint[.]org 2. blackone@sigaint[.]org. Just inform your identification ID and we will give you next instruction. Your personal identification ID:"
Despite all this, there seems to a hint of good news; according to Kaspersky, the ransomware seems to be only in its early stages of development as it fails to encrypt files as the threat actor has recently moved to a new server, and the change has not reflected yet on the malware itself. Furthermore, it makes no mention of any proof of decryption, or any alternative method should the payment process fail.
As the world of ransomware grows and becomes more threatening each day, it is always best to be careful of our internet activity by being on guard of the websites we visit, as well as the files we download. We can never know that the next thing we might be encountering could possibly compromise not just our computers, but also our financial lives.