Ransomware is already annoying: Files are suddenly locked down and potentially irretrievable if users aren’t wiling to meet demands and pay up. Thankfully, most strains come with inherent weaknesses that can be exploited by security firms to claw back hostage data.
As noted by SecurityWeek, however, there’s a new snake in the grass: CryPy ransomware. Written in Python, this iteration of lock-and-leave code fetches a unique key for each file before it’s encrypted, making it possible for actors to offer a few free unlocks to demonstrate their goodwill and encourage full payment before the files are deleted. Here’s a look at this ransom rollout.
According to Securelist, CryPy is the newest member of the Pysomwares group, which includes other Python-coded malware such as HolyCrypt and Fs0ciety Locker. The infection process is fairly standard: PCs are compromised with a boot_common.py process, designed to error-log Windows platforms, and encryptor.py, which takes care of locking down the actual files. Once compromised, PCs have their registry policies overwritten, system recovery tools disabled and boot status policy set to ignore.
But rather than using a common key to encrypt victim information, CryPy ransomware sends specific file names and user IDs to its command-and-control (C&C) server, which responds with a unique token for each file. This allows attackers to unlock individual files to show they’re in full control of the infection and encourage victims to quickly pay the ransom.
According to the SecurityWeek piece, a flaw in the Magneto CMS let actors upload a PHP shell script and compromise an Israeli-based web server. This same server was also tied to a series of PayPal phishing pages, and evidence suggests the entire operation is the work of a Hebrew-speaking attacker.
How CryPy Ransomware Is Changing the Game
While the CryPy ransomware isn’t particularly sophisticated or especially dangerous, it showcases the ongoing evolution of ransomware — threat actors aren’t satisfied doing the same thing over and over again. They are instead looking for new ways to compromise computers and ramp up victims’ fears.
Consider the new Exotic Ransomware from an actor known as EvilTwin: In addition to locking down the expected files, such as documents and pictures, the malware also targets and encrypts executables, crippling users’ ability to run any programs on their PCs. After infection, users are directed to pay $50 worth of bitcoins in 72 hours or risk having all their files deleted. Bleeping Computer noted this ransomware is still in the development stage, but it won’t be long until a full release appears.
According to Komando, malware infections are also hitting new targets such as smart TVs running the Android OS. If a user navigates to malicious sites or clicks on links from compromised emails using the TV’s web browser, it’s possible to pick up an infection that will activate itself 30 minutes after being installed. The user then receives a warning that the television is locked because he or she has committed “illegal actions” and must therefore pay $200 to have it fixed.
Fortunately, the malware only locks the screen rather than encrypting files and can be removed by connecting the computer to a PC and running the Android Debug Bridge process.
Bottom line? Cybercriminals are always on the lookout for low-hanging fruit. But with many users getting wise to regular ransomware infections, some are stepping up their game to include unique file keys or compromised executables, and they are even channeling TV infections to convince users they’re better off paying up than losing out.