CryPy Python ransomware: “just let it run” says security expert


Some new ransomware code, CryPy, developed entirely in Python, has escaped into the wild and it’s a nasty piece of work. This latest entrant in the growing ranks of ‘Pysomware’ joins the likes of HolyCrypt and Fs0ciety Locker.

The difference, however, is that CryPy comes with a rather dangerous new trick in that it encrypts files with unique keys and does so one at a time.  So why is one security expert suggesting the answer to CryPy, and all ransomware, is to just let it run? IT Security Thing reports.

First spotted by Jakub Kroustek, an AVG (or should we say Avast now) researcher, the CryPy ransomware quickly grabbed the attention of the usual suspects of security research. Amongst them, of course, was Kaspersky Labs. An in-depth technical teardown of how CryPy works soon surfaced, courtesy of Ido Naor and Noam Alon. There’s little point us repeating what they have already said, and they deserve credit for the work that has gone into their analysis; so we recommend that you head over and read it when you are done here.

The unique encryption key thing is a distinct disadvantage

While there is no denying how dangerous CryPy could be, what with that ability to encrypt individual files with unique keys, reports are coming in that suggest it’s not as bad as it might have been. SC Magazine has pointed out that the Cybereason CISO, Israel Barak, sees the unique encryption key thing as a distinct disadvantage as it slows down performance and speeds up potential disruption opportunity.

Barak also reckons that there were “significant operational components” missing from the source code. This is important in the overall scheme of things as it suggests that the ransomware was caught early in the distribution and testing cycle, and so has been stopped from gaining broader traction.

That CryPy was spotted so soon, courtesy of a vulnerability in the Magento CMS that enabled an otherwise innocent Israeli-based web server to be compromised as the Command and Control Centre for the ransomware, is a blessing. That same server, by the way, is being used to execute PayPal phishing attacks.

Companies should stop trying to fight an unwinnable battle

Ian Pratt, the founder and president of Bromium admits that CryPy “looks quite nasty” especially with the ability to “selectively unlock files for victims, allowing them to establish trust by unlocking some files for free and perhaps charging different amounts for different files.”

Perhaps surprisingly, Pratt also recommends that “companies stop trying to fight an unwinnable battle” against ransomware. “Our advice” he says “is to just let it run.”

Thankfully there is a critical caveat to that advice: you need to deploy a virtual environment that traps the ransomware. “Using micro-virtualisation whereby every application, programme, even individual web pages, are attached to their own separate server” Pratt concludes “you can just let ransomware run, as it’s completely isolated, with no way of escaping.”

It’s an interesting solution which would certainly, on the face of it, prevent the malicious code from doing any harm to the wider IT ecosystem or spread anywhere beyond the virtual machine on which it runs for that matter. It would, we agree, stop even the most advanced ransomware from encrypting files and so render it harmless. Unfortunately, just getting organisations to understand the basics of secure practice is hard enough, which is why we are in this mess. Selling the idea of micro-virtualisation could well be a tech-step too far for most people.