A New kind of ransomware encrypt files using a unique key read more at here www.spinonews.com/index.php/item/1278-a-new-kind-of-ransomware-encrypt-files-using-a-unique-key

CryPy, this new ransomware isn’t the first or only one written in the Python programming language. Zimbra, HolyCrypt and Fs0ciety Locker are also written in the same language.

However, the reason why CryPy stands out is that it encrypts files on a system individually and that too, with a unique key for every file. This obviously makes data decryption very difficult.

The ransomware was identified by Kaspersky researchers while looking for a particular security flaw, which allows attackers to upload and implement a PHP Shell Script to an exploitable Israeli web server, in the Magento Content Management System.

#Python #ransomware #CryPy retrieves encryption key and new filename for each file from CnC. https://t.co/RjtxuMg4r9 pic.twitter.com/FgINNyfb2v

— Jakub Kroustek (@JakubKroustek) 9 September 2016

Data is transferred from the server in clear text, which allows man-in-the-middle attacks to take place and drops of additional PHP scripts which call up the ransomware to attack victim PCs.

In the analysis of Kaspersky researchers, the team identified that CryPy has two main files, namely boot_common.py and encryptor.py. The first one error logs on Windows OS and the second one is the main locker.

After the computer has been infected the CryPy disables registry tools, such as Task Manager, Run and CMD. Afterward, boot status policy and recovery tools are disabled. When the disabling function has been performed successfully, the malware begins encrypting the files using a different encryption key for each file.

When the malware finishes locking of system and data encryption, the threat actor sends commands to inform the victims of the attack and to contact through email to pay for the decryption program.

If the victims do as direct and contact the attacker via email, they are provided with a sample decryption key with which they can decrypt some of the files for free. This is the attacker’s strategy to build trust and force the victims into paying the ransom to get the full decryption program.

Currently, this ransomware is in the initial stages of its development because they feel that it has failed to encrypt files since the time its designer changed the server.