October 17, 2016 By Douglas Bonderud 2 min read

Ransomware is already annoying: Files are suddenly locked down and potentially irretrievable if users aren’t wiling to meet demands and pay up. Thankfully, most strains come with inherent weaknesses that can be exploited by security firms to claw back hostage data.

As noted by SecurityWeek, however, there’s a new snake in the grass: CryPy ransomware. Written in Python, this iteration of lock-and-leave code fetches a unique key for each file before it’s encrypted, making it possible for actors to offer a few free unlocks to demonstrate their goodwill and encourage full payment before the files are deleted. Here’s a look at this ransom rollout.

Reptilian Ransoms?

According to Securelist, CryPy is the newest member of the Pysomwares group, which includes other Python-coded malware such as HolyCrypt and Fs0ciety Locker. The infection process is fairly standard: PCs are compromised with a boot_common.py process, designed to error-log Windows platforms, and encryptor.py, which takes care of locking down the actual files. Once compromised, PCs have their registry policies overwritten, system recovery tools disabled and boot status policy set to ignore.

But rather than using a common key to encrypt victim information, CryPy ransomware sends specific file names and user IDs to its command-and-control (C&C) server, which responds with a unique token for each file. This allows attackers to unlock individual files to show they’re in full control of the infection and encourage victims to quickly pay the ransom.

According to the SecurityWeek piece, a flaw in the Magneto CMS let actors upload a PHP shell script and compromise an Israeli-based web server. This same server was also tied to a series of PayPal phishing pages, and evidence suggests the entire operation is the work of a Hebrew-speaking attacker.

How CryPy Ransomware Is Changing the Game

While the CryPy ransomware isn’t particularly sophisticated or especially dangerous, it showcases the ongoing evolution of ransomware — threat actors aren’t satisfied doing the same thing over and over again. They are instead looking for new ways to compromise computers and ramp up victims’ fears.

Consider the new Exotic Ransomware from an actor known as EvilTwin: In addition to locking down the expected files, such as documents and pictures, the malware also targets and encrypts executables, crippling users’ ability to run any programs on their PCs. After infection, users are directed to pay $50 worth of bitcoins in 72 hours or risk having all their files deleted. Bleeping Computer noted this ransomware is still in the development stage, but it won’t be long until a full release appears.

According to Komando, malware infections are also hitting new targets such as smart TVs running the Android OS. If a user navigates to malicious sites or clicks on links from compromised emails using the TV’s web browser, it’s possible to pick up an infection that will activate itself 30 minutes after being installed. The user then receives a warning that the television is locked because he or she has committed “illegal actions” and must therefore pay $200 to have it fixed.

Fortunately, the malware only locks the screen rather than encrypting files and can be removed by connecting the computer to a PC and running the Android Debug Bridge process.

Bottom line? Cybercriminals are always on the lookout for low-hanging fruit. But with many users getting wise to regular ransomware infections, some are stepping up their game to include unique file keys or compromised executables, and they are even channeling TV infections to convince users they’re better off paying up than losing out.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today