October 17, 2016 By Douglas Bonderud 2 min read

Ransomware is already annoying: Files are suddenly locked down and potentially irretrievable if users aren’t wiling to meet demands and pay up. Thankfully, most strains come with inherent weaknesses that can be exploited by security firms to claw back hostage data.

As noted by SecurityWeek, however, there’s a new snake in the grass: CryPy ransomware. Written in Python, this iteration of lock-and-leave code fetches a unique key for each file before it’s encrypted, making it possible for actors to offer a few free unlocks to demonstrate their goodwill and encourage full payment before the files are deleted. Here’s a look at this ransom rollout.

Reptilian Ransoms?

According to Securelist, CryPy is the newest member of the Pysomwares group, which includes other Python-coded malware such as HolyCrypt and Fs0ciety Locker. The infection process is fairly standard: PCs are compromised with a boot_common.py process, designed to error-log Windows platforms, and encryptor.py, which takes care of locking down the actual files. Once compromised, PCs have their registry policies overwritten, system recovery tools disabled and boot status policy set to ignore.

But rather than using a common key to encrypt victim information, CryPy ransomware sends specific file names and user IDs to its command-and-control (C&C) server, which responds with a unique token for each file. This allows attackers to unlock individual files to show they’re in full control of the infection and encourage victims to quickly pay the ransom.

According to the SecurityWeek piece, a flaw in the Magneto CMS let actors upload a PHP shell script and compromise an Israeli-based web server. This same server was also tied to a series of PayPal phishing pages, and evidence suggests the entire operation is the work of a Hebrew-speaking attacker.

How CryPy Ransomware Is Changing the Game

While the CryPy ransomware isn’t particularly sophisticated or especially dangerous, it showcases the ongoing evolution of ransomware — threat actors aren’t satisfied doing the same thing over and over again. They are instead looking for new ways to compromise computers and ramp up victims’ fears.

Consider the new Exotic Ransomware from an actor known as EvilTwin: In addition to locking down the expected files, such as documents and pictures, the malware also targets and encrypts executables, crippling users’ ability to run any programs on their PCs. After infection, users are directed to pay $50 worth of bitcoins in 72 hours or risk having all their files deleted. Bleeping Computer noted this ransomware is still in the development stage, but it won’t be long until a full release appears.

According to Komando, malware infections are also hitting new targets such as smart TVs running the Android OS. If a user navigates to malicious sites or clicks on links from compromised emails using the TV’s web browser, it’s possible to pick up an infection that will activate itself 30 minutes after being installed. The user then receives a warning that the television is locked because he or she has committed “illegal actions” and must therefore pay $200 to have it fixed.

Fortunately, the malware only locks the screen rather than encrypting files and can be removed by connecting the computer to a PC and running the Android Debug Bridge process.

Bottom line? Cybercriminals are always on the lookout for low-hanging fruit. But with many users getting wise to regular ransomware infections, some are stepping up their game to include unique file keys or compromised executables, and they are even channeling TV infections to convince users they’re better off paying up than losing out.

More from

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

How red teaming helps safeguard the infrastructure behind AI models

4 min read - Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today