Threat Management, Malware, Ransomware

Python ransomware uses a unique key for each file that is encrypted

A new ransomware variant – written in Python – while dangerous, is also littered with flaws that render it less effective.

The ransomware, named CryPy, was disclosed by Avast reverse engineer and malware analyst Jakub Kroustek.

The news are has quickly caught the eye of security firms, with Kaspersky Lab's security researchers Ido Naor and Noam Alon blogging on SecureList that the malware uses a vulnerable Israel-based web server as its command and control center and claiming that the threat actors are Hebrew-speaking.

Other security pros noted that while CryPy is a newcomer the malware strain itself does not represent a major step forward in sophistication, particularly as some of its features have a negative impact on its performance. For example, using a unique encryption key for each file is a disadvantage, plus it is more susceptible to disruption, according to Cybereason CISO Israel Barak.

The C&C method was “relatively simple,” as demonstrated by the use of a single hacked server, Barak told Significant operational components were missing from the source code, he said, which indicates that the ransomware was caught before it had been implemented on a large scale.

The attempt by the ransomware developer to prevent victims from gaining access to the encryption key by using a different key for each file is flawed, according to Steve McGregory, director of application and threat intelligence at Ixia. The operation would be quickly shut down by blocking “the source of this malicious IP address,” McGregory wrote in an email to

Further, Barak said that a successful ransomware campaign would need to have established “a robust and stealthy C&C infrastructure” and a method of demonstrating proof to victims that the cybercriminals can de-encrypt files.

Recent instances of Python malware, such as PWOBot, Zimbra, HolyCrypt, and Fs0ciety Locker, have been on the rise.

Despite the problems listed, the CryPy ransomware's sophisticated encryption process makes it difficult to decrypt files and could potentially defeat anti-ransomware software, like the prototype created by researchers at the University of Florida and Villanova University in July.

Barak said he has not seen “any clear indicator that the threat actor is based in Israel” other than the researchers' claim that the threat actor is Hebrew-speaking.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.