CryPy Ransomware Generates Decryption Key for Each Encrypted File

Yet another crypto virus has been spotted by Jakub Kroustek malware analyst at AVG. The threat can occur across the Internet with the name CryPy ransomware. A particular characteristic of CryPy ransomware is Python programming language used for the development of its script. It scans its victim PC for particular file types which afterward enciphers them with AES-256 symmetric encryption algorithm.

Victims of this ransomware should not pay the ransom money. Don’t let cyber criminals harass you. At the end of this article, there is a manual removal guide. We recommend the instant removal of the threat from the PC. Afterward alternative recovery solutions could help for decrypting some .cry data.

More of CryPy Ransomware Features

Once it is activated on the computer CryPy virus may contact its C&C server and receive a command to download its malicious payload. Probably the threat is named after the extension .cry which it appends at the end of the encrypted files. What we notice here is the similarity with another crypto virus discovered last week and dubbed Cry ransomware (CSTO) that appends the same extension. However, it operates in a different manner.

CryPy ransomware also adds the initials CRY at the beginning of the file names. What remains between is random numbers that serve for individual identification of the encrypted file. The most frequently used files like images, documents, video files, audio files are likely to be a target for encryption. Once they have the extension .cry they could not be opened or used by any program.

The curious thing, in this case, is that CryPy ransomware connects to its C&C server after every single encrypted file. The encryption process of each file ends with generating a unique key for the file that is sent to the cyber criminals. However, this feature makes it slower than typical ransomware threats.

In the final phase of infection, this nasty virus drops a ransom note that informs victims that if the ransom payment is not completed within 6 hours, a random file will be deleted. This process happens every 6 hours until the 96th hour when the decryption key is also removed. Dropped file is named README_FOR_DECRYPT.txt and is automatically opened. What it states is:

“IMPORTANT INFORMATION
All your files are encrypted with strong ciphers.
Decrypting of your files is only possible with the decryption program, which is on our secret server.
Note that every 6 hours; a random file is permanently deleted. The faster you are, the fewer files you will lose.
Also, in 96 hours, the key will be permanently deleted, and there will be no way of recovering your files.
To receive your decryption program contact one of the emails:
1. [email protected]
2. [email protected]
Just inform your identification ID and we will give you next instruction.
Your personal identification ID: CRY{Unique Identification Number}”

Stay safe and don’t contact the malicious intenders.

How Does CryPy Ransomware Land on the Computer?

One of the ways is via malicious email attachment that tricks the user to open it. It may be Microsoft Office document that has embedded malicious macro files or fake PDF file. Another practice used by cyber criminals is to post malicious web links on social media and other sites.

Dealing with CryPy Ransomware Infection

We recommend CryPy ransomware to be instantly removed. After the 6th hour, a random file will be gone away forever. The best a victim can do is to get rid of all CryPy malicious files associated with the ransomware and keep the .cry data. Once the threat is gone, the encrypted data may be restored via utilizing alternative decryption solutions.

How to manually remove malware from your computer

Gergana Ivanova

Author : Gergana Ivanova

Gergana Ivanova is computer security enthusiast who enjoys presenting the latest issues related to cyber security.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *