Security Audit

Our Web Application Pentest ( WAP) attempts to address the Owasp top 10 & SANS top 20 web application vulnerabilities and other exploitable loopholes of your web application . Along with it our WAP team also test web applications for Business logic flaws that can directly or indirectly effect the functioning of application.


We are here to help you solve your biggest query- where and how to start? CDI has brought various courses in Ethical Hacking in Chandigarh where all you technology lovers will be given the much needed push to move forward and create a niche for yourself in the field. From Beginner to Expert level we have many kinds of training patterns.

Call Us : +91-771045-0011 | +91-771045-0022

Python Based Ransomware CryPy uses Different Unique Key to Decrypt Each File!



There is a number of Ransomware, which had been written in Python by its authors. HolyCrypt, Fs0ciety Locker, and Zimbra are some of its examples. These ransomware are using only one unique to decrypt all the encrypted files. A new CryPy named ransomware has been detected by security researchers of Kaspersky. It is a Python based ransomware. It is different from all other ransomware because it uses a different unique key for each encrypted file.


How CryPy Works?

CryPy ransomware is mainly using following two python executable files:




The file has been written by hackers for error-logging on targeted windows platforms. On the other hand, file is capable of encrypting all the files on a server. We can say, the second file is a locker in actual. Hackers are controlling this ransomware, through remote commands. CryPy sends victim ID and file to the server. After receiving that files, initially, the server encrypts the files and then generates a unique key to decrypt these files. The server immediately sends the unique key towards CryPy.



The most interesting fact is, “Hackers are not demanding money to decrypt the files. They are providing these unique keys in free”.


How Hackers Are Controlling CryPy?

According to security researchers at Kaspersky Security Labs, This ransomware is interacting with an Israeli server. That Israeli server has been compromised by hackers by exploiting a common Magento vulnerability. By doing this, hackers managed to upload PHP shell script to the server. Some hard coded scripts have also been uploaded by the hackers to the vulnerable server for transfer data in clear text. These codes are helpful to hackers for performing MITM (Man in the Middle) attack also. Cyber Criminals behind this ransomware, are controlling it through command and control servers. Hackers were also using this server to do phishing attacks. These phishing attacks were related to PayPal and hackers were using Israel’s “Hebrew” language to design those pages.


Read about that Phishing PayPal Scam here:​


After stealing login credentials of PayPal users, hackers were forwarding it to another remote server. This remote server was located in Mexico. Hackers were using the same technique to control this server. But this server was not using Magento. Hackers often use, these type of tricks to make the connection more complex. It helps them to hide their command servers from investigators.

Source: Kaspersky Security labs


Similar Articles:

What is Ransomware?

FairWare Ransomware is Deleting Files From Linux Servers and Asking For Money!

Bye Bye Ransomwares! Now We have Crypto Drop! 

Leave a Reply

Email id
Contact No

See more of Cyber Intelligence by logging in.
Connect with cyber security experts,Discover job opportunities,Online Training, Information Security Advisory and lot more.