WatchPoint Security Blog

Here Comes CryPy Ransomware

Written by Jordan Kadlec | November 09, 2016

Ransomware has been all over cybersecurity headlines for the last ten months. This week’s feature is CryPy, a form of ransomware that is adding a spin to how files are encrypted and the ransom demanded.

CryPy Ransomware

CryPy gets its name from the fact that it makes its victims cry and it’s written in Python which performs the ransomware’s encryption hence, CryPy. Currently, there is no real cause for alarm as CryPy relies on a web server that’s offline now. However, the malware has been compiled into a Windows.exe file (executable program) from which the Python source code can be easily extracted. This leaves the window open for cybercriminals to create a different form of ransomware from CryPy’s foundation.

CryPy is different than almost any form of ransomware that we have seen thus far. The malware makes an HTTP request containing a unique identifier for the victim plus the original filename for each file. The server replies each time with a replacement file name and a one-time random AES (Advanced Encryption Standard) encryption key. So, what does this mean? Every file has its own unlocking key, every file gets a new and meaningless name, and the cybercriminals end up with a complete list of all your file names.

In other words, CryPy introduces three new angles to ransomware. First, it actually steals your data as well as scrambles your local file copies. Second, it leaves cybercriminals in a position to demand ransom for each individual file. If a hacker believes that you may place a higher value on certain files, they will demand a higher ransom for those files. Third, there’s no need for RSA and public/private keypairs, because the one-time keys are all generated and stored on the server.

With that being said, CryPy still carries characteristics like other forms of ransomware. In case it doesn’t get time to finish encrypting your files in one attempt, it sets itself to launch whenever you log in to your computer. CryPy also blocks access to numerous system troubleshooting tools such as the command prompt, registry editor, and task manager. Lastly, CryPy creates a filed called README_FOR_DECRYPT.txt (see below) on your desktop, telling you how to contact the cybercriminals to negotiate your decryption key.

WatchPoint – CryptoStopper.io

As of now, CryPy isn’t something we need to worry about. However, the idea behind the ransomware and the foundation already created are cause for concern. As we always say, prevention is key, but protection is a must.

WatchPoint has a solution to protect you from the prevalent threat of ransomware. CryptoStopper.io monitors your shared files and detects and isolates the attack the moment ransomware hits your network. An alert is sent to the administrator, and the host is disconnected from the server.

Check out CryptoStopper.io to see how WatchPoint can protect your business from ransomware. We also regularly host CryptoStopper webinars. To attend the next webinar, register below.