October 17, 2016 By Douglas Bonderud 2 min read

Ransomware is already annoying: Files are suddenly locked down and potentially irretrievable if users aren’t wiling to meet demands and pay up. Thankfully, most strains come with inherent weaknesses that can be exploited by security firms to claw back hostage data.

As noted by SecurityWeek, however, there’s a new snake in the grass: CryPy ransomware. Written in Python, this iteration of lock-and-leave code fetches a unique key for each file before it’s encrypted, making it possible for actors to offer a few free unlocks to demonstrate their goodwill and encourage full payment before the files are deleted. Here’s a look at this ransom rollout.

Reptilian Ransoms?

According to Securelist, CryPy is the newest member of the Pysomwares group, which includes other Python-coded malware such as HolyCrypt and Fs0ciety Locker. The infection process is fairly standard: PCs are compromised with a boot_common.py process, designed to error-log Windows platforms, and encryptor.py, which takes care of locking down the actual files. Once compromised, PCs have their registry policies overwritten, system recovery tools disabled and boot status policy set to ignore.

But rather than using a common key to encrypt victim information, CryPy ransomware sends specific file names and user IDs to its command-and-control (C&C) server, which responds with a unique token for each file. This allows attackers to unlock individual files to show they’re in full control of the infection and encourage victims to quickly pay the ransom.

According to the SecurityWeek piece, a flaw in the Magneto CMS let actors upload a PHP shell script and compromise an Israeli-based web server. This same server was also tied to a series of PayPal phishing pages, and evidence suggests the entire operation is the work of a Hebrew-speaking attacker.

How CryPy Ransomware Is Changing the Game

While the CryPy ransomware isn’t particularly sophisticated or especially dangerous, it showcases the ongoing evolution of ransomware — threat actors aren’t satisfied doing the same thing over and over again. They are instead looking for new ways to compromise computers and ramp up victims’ fears.

Consider the new Exotic Ransomware from an actor known as EvilTwin: In addition to locking down the expected files, such as documents and pictures, the malware also targets and encrypts executables, crippling users’ ability to run any programs on their PCs. After infection, users are directed to pay $50 worth of bitcoins in 72 hours or risk having all their files deleted. Bleeping Computer noted this ransomware is still in the development stage, but it won’t be long until a full release appears.

According to Komando, malware infections are also hitting new targets such as smart TVs running the Android OS. If a user navigates to malicious sites or clicks on links from compromised emails using the TV’s web browser, it’s possible to pick up an infection that will activate itself 30 minutes after being installed. The user then receives a warning that the television is locked because he or she has committed “illegal actions” and must therefore pay $200 to have it fixed.

Fortunately, the malware only locks the screen rather than encrypting files and can be removed by connecting the computer to a PC and running the Android Debug Bridge process.

Bottom line? Cybercriminals are always on the lookout for low-hanging fruit. But with many users getting wise to regular ransomware infections, some are stepping up their game to include unique file keys or compromised executables, and they are even channeling TV infections to convince users they’re better off paying up than losing out.

More from

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success…

Brands are changing cybersecurity strategies due to AI threats

3 min read -  Over the past 18 months, AI has changed how we do many things in our work and professional lives — from helping us write emails to affecting how we approach cybersecurity. A recent Voice of SecOps 2024 study found that AI was a huge reason for many shifts in cybersecurity over the past 12 months. Interestingly, AI was both the cause of new issues as well as quickly becoming a common solution for those very same challenges.The study was conducted…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today