Ransomware has been one of the top threats to organizations, contributing several millions of dollars to multiple organizations worldwide.
Most of these ransomware operators infiltrate the systems, steal sensitive data, and lock the systems with ransomware.
There have been a variety of ransomware activities in the past, such as WannaCry, GandCrab, and many others.
Most of the ransomware operators use custom-written ransomware for their operations. However, there has been a rise in Python-based ransomware variants in recent years.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
New Python Ransomware
According to the K7 labs report, a recent ransomware sample was found and investigated. It turned out to be written in Python, which is not common. The ransomware binary was checked in VirusTotal and was detected by 47 antivirus providers.
The malicious file was found to be an executable file compiled in C++. Moreover, the executable file had a PDF icon as a means of disguising its original extension. To further investigate, the malicious PDF file was extracted with pyinstxtractor. Further analysis revealed the main source code file under the name “grinchv3.pyc”.
Behavioral Analysis
The script was written with several lines of code under a single class named “sweet.” The __init__ function of the class gathers additional information and performs the following functions.
- Fetches the current user of the victim machine
- Drive partition scanning (A:\ to Z:\ is scanned)
- Determining the Type of files to encrypt
Moreover, the encryption is started only after adding the unlock notes under the name “UNLOCK MY FILES.txt” on all the file paths that are about to be encrypted. For encryption, the Fernet Python cryptography module was used. After encrypting, a pop-up message is configured to be shown to the user.
All the encrypted files are under the extension “.enc” and remain unreadable after the ransomware encrypts them. Furthermore, the ransom notes include the email address of the attacker to contact for decryption.
K7 Security Labs has published a complete report about this new Python ransomware variant. It provides detailed information about this new Python-based ransomware source code, encryption methodology, and experimental and behavioral analysis.
Indicators of Compromise
Hash | Detection Name |
C967B8198501E3CE3A0E323B37D94D15 | Trojan ( 005af6051 ) |