CryPy was discovered due to a security flaw in the Magento content management system (CMS) which permitted attackers to upload and execute a PHP shell script to a vulnerable Israeli web server which now acts as the malware's command and control (C&C) center.Data is transferred from the server in clear text, which allows man-in-the-middle (MiTM) attacks to take place -- and drops of additional PHP scripts which call up the ransomware to attack victim PCs.The C&C center is also used to conduct phishing attacks and contained PayPal phishing pages. It is believed that the threat actors behind the ransomware are Hebrew-speaking.
The malware comprises of two main files, boot_common.py and encryptor.py. The first error logs on Windows platforms, while the latter is the actual locker. Once a system is infected, CryPy disables Registry Tools, Task Manager, CMD, and Run before disabling recovery tools and the boot status policy.
Encryption then begins, with a fresh encryption key fetched for each file individually. However, Kaspersky believes CryPy is in the early stages of development as the malware is, in its current form, failing to encrypt files as the threat actor has recently moved to a new server and the malware has not been updated as of yet.When a system is locked and encrypted, victims are then asked to contact the threat actor via email to pay for a decryption program. By undergoing this process, victims may be able to decrypt a few files for free, showing the malware's functions and potentially an element of trust in other words, a lure to push victims into paying for the full decryption system.
Earlier this week, Symantec researchers revealed that ransomware operators are switching tactics to expand their attack area by using Windows Script Files (WSF) to distribute ransomware as they are less likely to be picked up by antivirus programs.