Python ransomware encrypts files with unique keys one at a time

A newly discovered strain of ransomware uses a unique key for every file it encrypts.
Written by Charlie Osborne, Contributing Writer

A new kind of ransomware written in Python has upped the encryption game by using a unique key for every file it encrypts on a victim's machine, researchers have warned.


The ransomware, dubbed CryPy, is not the only kind of malware which has been written in the Python programming language -- joining the likes of HolyCrypt, Fs0ciety Locker, and Zimbra.

However, what makes this particular malware stand out is a rather sophisticated and nefarious practice -- the fetching of unique encryption keys to individually encrypt files on a victim's system -- making decryption and cracking very difficult.

CryPy was discovered due to a security flaw in the Magento content management system (CMS) which permitted attackers to upload and execute a PHP shell script to a vulnerable Israeli web server which now acts as the malware's command and control (C&C) center.

Data is transferred from the server in clear text, which allows man-in-the-middle (MiTM) attacks to take place -- and drops of additional PHP scripts which call up the ransomware to attack victim PCs.

The C&C center is also used to conduct phishing attacks and contained PayPal phishing pages. It is believed that the threat actors behind the ransomware are Hebrew-speaking.

See also: Remove ransomware infections from your PC using these free tools

In an analysis posted by Kaspersky researchers, the team says the malware comprises of two main files, boot_common.py and encryptor.py. The first error logs on Windows platforms, while the latter is the actual locker. Once a system is infected, CryPy disables Registry Tools, Task Manager, CMD, and Run before disabling recovery tools and the boot status policy.

Encryption then begins, with a fresh encryption key fetched for each file individually. However, Kaspersky believes CryPy is in the early stages of development as the malware is, in its current form, failing to encrypt files as the threat actor has recently moved to a new server and the malware has not been updated as of yet.

When a system is locked and encrypted, victims are then asked to contact the threat actor via email to pay for a decryption program. By undergoing this process, victims may be able to decrypt a few files for free, showing the malware's functions and potentially an element of trust -- in other words, a lure to push victims into paying for the full decryption system.

Earlier this week, Symantec researchers revealed that ransomware operators are switching tactics to expand their attack area by using Windows Script Files (WSF) to distribute ransomware as they are less likely to be picked up by antivirus programs.

The 10 step guide to using Tor to protect your privacy

Editorial standards