OCTOBER 19, 2016
The strain adds a level of complication to decryption by encrypting every file with a unique key. And it may be able to fly under the radar of anti-ransomware software.
A new ransomware known as ‘CryPy’ has been discovered in the wild with the capability of encrypting each file on a system with a unique key, Avast security expert Jakub Kroustek discovered.
While not the first malware written in Python programming language - it joins other ‘Pysomwares’ like HolyCrypt, FsOciety Locker and Zimba - CryPy stands out as particularly heinous because it uses different encryption keys to individually lockdown files on a victim’s system.
This makes it incredibly difficult to decrypt and crack the code, according Kaspersky Labs researchers.
The executable is made up of two main files: a boot_common.py and encryptor.py. The first is in charge of error logging on Windows platforms and the second is the actual locker that has a few different functions, Kaspersky officials said.
The virus originates from a compromised web server located in Israel that enables hackers to stream data from the ransomware to the corrupt server and back again. Researchers said the server is also used for phishing attacks and contained PayPal phishing pages.
Attackers often look for low-hanging fruit to inject their code and hide their corrupt server, according to Kaspersky researchers.
There are ‘strong indications’ it’s a Hebrew-speaking threat actor behind the attacks, researchers said. The hackers claim files will be deleted every six hours, reflecting the approach of more recent ransomware strains.
What’s notable is the virus fails to direct victims to a channel that can be used in cases where the payment is non-responsive, which researchers said points to ‘the executable being at an early stage of development.’
The virus isn’t without flaws, but CryPy’s encryption process may be able to defeat anti-ransomware software, according to reports.