Ransomware is already annoying: Files are suddenly locked down and potentially irretrievable if users aren’t wiling to meet demands and pay up. Thankfully, most strains come with inherent weaknesses that can be exploited by security firms to claw back hostage data.

As noted by SecurityWeek, however, there’s a new snake in the grass: CryPy ransomware. Written in Python, this iteration of lock-and-leave code fetches a unique key for each file before it’s encrypted, making it possible for actors to offer a few free unlocks to demonstrate their goodwill and encourage full payment before the files are deleted. Here’s a look at this ransom rollout.

Reptilian Ransoms?

According to Securelist, CryPy is the newest member of the Pysomwares group, which includes other Python-coded malware such as HolyCrypt and Fs0ciety Locker. The infection process is fairly standard: PCs are compromised with a boot_common.py process, designed to error-log Windows platforms, and encryptor.py, which takes care of locking down the actual files. Once compromised, PCs have their registry policies overwritten, system recovery tools disabled and boot status policy set to ignore.

But rather than using a common key to encrypt victim information, CryPy ransomware sends specific file names and user IDs to its command-and-control (C&C) server, which responds with a unique token for each file. This allows attackers to unlock individual files to show they’re in full control of the infection and encourage victims to quickly pay the ransom.

According to the SecurityWeek piece, a flaw in the Magneto CMS let actors upload a PHP shell script and compromise an Israeli-based web server. This same server was also tied to a series of PayPal phishing pages, and evidence suggests the entire operation is the work of a Hebrew-speaking attacker.

How CryPy Ransomware Is Changing the Game

While the CryPy ransomware isn’t particularly sophisticated or especially dangerous, it showcases the ongoing evolution of ransomware — threat actors aren’t satisfied doing the same thing over and over again. They are instead looking for new ways to compromise computers and ramp up victims’ fears.

Consider the new Exotic Ransomware from an actor known as EvilTwin: In addition to locking down the expected files, such as documents and pictures, the malware also targets and encrypts executables, crippling users’ ability to run any programs on their PCs. After infection, users are directed to pay $50 worth of bitcoins in 72 hours or risk having all their files deleted. Bleeping Computer noted this ransomware is still in the development stage, but it won’t be long until a full release appears.

According to Komando, malware infections are also hitting new targets such as smart TVs running the Android OS. If a user navigates to malicious sites or clicks on links from compromised emails using the TV’s web browser, it’s possible to pick up an infection that will activate itself 30 minutes after being installed. The user then receives a warning that the television is locked because he or she has committed “illegal actions” and must therefore pay $200 to have it fixed.

Fortunately, the malware only locks the screen rather than encrypting files and can be removed by connecting the computer to a PC and running the Android Debug Bridge process.

Bottom line? Cybercriminals are always on the lookout for low-hanging fruit. But with many users getting wise to regular ransomware infections, some are stepping up their game to include unique file keys or compromised executables, and they are even channeling TV infections to convince users they’re better off paying up than losing out.

More from

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…