Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryPy (.cry) Ransomware Help & Support - README_FOR_DECRYPT.txt


  • Please log in to reply
4 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 AM

Posted 09 September 2016 - 06:32 PM

A new ransomware written with Python was discovered by AVG malware analyst Jakub Kroustek dubbed CryPy.

 

https://twitter.com/JakubKroustek/status/774260419284373504

 

CryPy uses AES-256 to encrypt a victim's files, and renames files with the format "CRY<random characters>.cry", with the extension being ".cry". An example of this is shown in the below image.

 

Cr6yQNrWIAAfX-s.jpg

 

 

As noted by Jakub, one very interesting part of this ransomware is the fact it calls the C2 server for every file it encrypts. Every file has a random 32-character password generated by the server, which also provides the random filename to rename the file. This can delay the virus, as it has to wait for a network call for each individual file, but it also hides the key generation from security researchers since it is handled on the server.

 

The ransomware writes the encrypted form of the file as <original filesize><IV><encrypted data>, then deletes the original file.

 

The victim is shown a ransom note called "README_FOR_DECRYPT.txt", and is asked to contact the criminals at m4n14k@sigaint.org or blackone@sigaint.org. The following is the ransom note's text.

IMPORTAN INFORMATION

All your files are encrypted with strong chiphers.
Decrypting of your files is only possible with the decryption program, which is on our secret server.
Note that every 6 hours, a random file is permanently deleted. The faster you are, the less files you will lose.
Also, in 96 hours, the key will be permanently deleted and there will be no way of recovering your files.
To receive your decryption program contact one of the emails:

1. m4n14k@sigaint.org
2. blackone@sigaint.org

Just inform your identification ID and we will give you next instruction.
Your personal identification ID: CRY[redacted]

At this time, there is no way to decrypt files encrypted by this ransomware.

 

 


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:26 PM

Posted 12 September 2016 - 02:01 PM

This image belongs to the ransomware? This wallpaper or logo?

https://pbs.twimg.com/media/Cr6yJErWgAAUkOE.jpg

 


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:26 AM

Posted 12 September 2016 - 03:16 PM

This image belongs to the ransomware? This wallpaper or logo?

https://pbs.twimg.com/media/Cr6yJErWgAAUkOE.jpg

 

 

That's the icon of the executable itself. It isn't used anywhere else.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Amigo-A

Amigo-A

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:26 PM

Posted 13 September 2016 - 01:58 AM

Fantasia these extortionists are not visited. :)


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#5 Amigo-A

Amigo-A

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:26 PM

Posted 13 September 2016 - 03:41 AM

What are targeted extensions by CryPy?


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users