A new ransomware written with Python was discovered by AVG malware analyst Jakub Kroustek dubbed CryPy.
CryPy uses AES-256 to encrypt a victim's files, and renames files with the format "CRY<random characters>.cry", with the extension being ".cry". An example of this is shown in the below image.
As noted by Jakub, one very interesting part of this ransomware is the fact it calls the C2 server for every file it encrypts. Every file has a random 32-character password generated by the server, which also provides the random filename to rename the file. This can delay the virus, as it has to wait for a network call for each individual file, but it also hides the key generation from security researchers since it is handled on the server.
The ransomware writes the encrypted form of the file as <original filesize><IV><encrypted data>, then deletes the original file.
The victim is shown a ransom note called "README_FOR_DECRYPT.txt", and is asked to contact the criminals at email@example.com or firstname.lastname@example.org. The following is the ransom note's text.
IMPORTAN INFORMATION All your files are encrypted with strong chiphers. Decrypting of your files is only possible with the decryption program, which is on our secret server. Note that every 6 hours, a random file is permanently deleted. The faster you are, the less files you will lose. Also, in 96 hours, the key will be permanently deleted and there will be no way of recovering your files. To receive your decryption program contact one of the emails: 1. email@example.com 2. firstname.lastname@example.org Just inform your identification ID and we will give you next instruction. Your personal identification ID: CRY[redacted]
At this time, there is no way to decrypt files encrypted by this ransomware.