Python Based Ransomware CryPy uses Different Unique Key to Decrypt Each File!

There is a number of Ransomware, which had been written in Python by its authors. HolyCrypt, Fs0ciety Locker, and Zimbra are some of its examples. These ransomware are using only one unique to decrypt all the encrypted files. A new CryPy named ransomware has been detected by security researchers of Kaspersky. It is a Python based ransomware. It is different from all other ransomware because it uses a different unique key for each encrypted file.

How CryPy Works?

CryPy ransomware is mainly using following two python executable files:

boot_common.py

encryptor.py

The bott_common.py file has been written by hackers for error-logging on targeted windows platforms. On the other hand, encryptor.py file is capable of encrypting all the files on a server. We can say, the second file is a locker in actual. Hackers are controlling this ransomware, through remote commands. CryPy sends victim ID and file to the server. After receiving that files, initially, the server encrypts the files and then generates a unique key to decrypt these files. The server immediately sends the unique key towards CryPy.

The most interesting fact is, “Hackers are not demanding money to decrypt the files. They are providing these unique keys in free”.

How Hackers Are Controlling CryPy?

According to security researchers at Kaspersky Security Labs, This ransomware is interacting with an Israeli server. That Israeli server has been compromised by hackers by exploiting a common Magento vulnerability. By doing this, hackers managed to upload PHP shell script to the server. Some hard coded scripts have also been uploaded by the hackers to the vulnerable server for transfer data in clear text. These codes are helpful to hackers for performing MITM (Man in the Middle) attack also. Cyber Criminals behind this ransomware, are controlling it through command and control servers. Hackers were also using this server to do phishing attacks. These phishing attacks were related to PayPal and hackers were using Israel’s “Hebrew” language to design those pages.

Read about that Phishing PayPal Scam here: https://goo.gl/v7Ynj4â€‹

After stealing login credentials of PayPal users, hackers were forwarding it to another remote server. This remote server was located in Mexico. Hackers were using the same technique to control this server. But this server was not using Magento. Hackers often use, these type of tricks to make the connection more complex. It helps them to hide their command servers from investigators.

Source: Kaspersky Security labs

Similar Articles: