A nasty virus, called CryPy, reported to use the Python language for it’s script has been detected by malware researchers, using AES-256 cipher to encode files. The encryptes files by this virus have the .cry file extension and in addition to that, the ransomware also changes the file names with random numbers, beginning with the CRY initials. After it’s encryption process is complete, CryPy malware drops a ransom note, called README_FOR_DECRYPT.txt. In this note, the virus also notifies that it will randomly delete a file every 6 hours if a ransom payoff to the cyber-criminals has not been made to restore the files. Anyone whose computer has been attacked by this devastating ransomware virus should not pay any ransom money and immediately remove the CryPy virus using the instructions in this article to avoid further file deletion. Furthermore, instead of paying the ransom, you can counter attack it and try to restore your files using alternative methods such as the ones suggested below.
Follow this article for more information to be updated soon.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key for each file available to the cyber-criminals.|
|Symptoms||CryPy Ransomware leaves a “README_FOR_DECRYPT.txt” ransom note and may delete random files from your computer if the terms in the note are not met. Changed file names and the various file extensions may be used.|
See If Your System Has Been Affected by CryPy
Malware Removal Tool
|User Experience||Join our forum to Discuss CryPy Ransomware.|
CryPy Ransomware – How Does It Perform an Infection
This devastating threat is strongly believed to use a combination of tools that conceal it from any firewall and most conventional antivirus programs on a victim computer. One of those tools may be a malicious e-mail attachment tricking the user into opening it. Such attachments may be fake .PDF or Microsoft Office documents that when opened can cause the infection. The documents seem to be from a legitimate sender, and the e-mail aims to convince the user that they are of an important nature.
But attachments may not be the only method for spreading malicious files. Malicious web links posted on social media and other websites are also reported to cause infections by a drive-by-download after a malicious browser redirect. Such malicious web sites may be presented to the user in the form of an advertisement(malvertising) that is displayed as a pop-up or a direct browser redirect as a result of adware (PUP) installed on the victim’s computer.
CryPy Ransomware In Detail
When CryPy ransomware Is activated on the computer of it’s victim, the ransomware virus is believed to perform several different activities, to collect information about the compromised system and send it to the C&C servers of the virus.
Then the CryPy virus may drop it’s payload by contacting its server and downloading it from there. The payload may be one or more files of the following file types:
After the payload of CryPy has been dropped, the virus may begin to modify numerous of settings, such as modify the Windows Registry Editor so that the malicious executables run on system startup. The usually targeted registry keys for this are:
After this has been conducted, the Virus may begin to encrypt the files on the compromised computer. It may scan for wide variety of file extensions to encrypt but the CryPy ransomware is mainly programmed to scan for and encrypt often used types of files, such as:
All types of documents opened with Microsoft Office, Adobe, Photoshop and other software.
As soon as the virus detects that a file has been found, it performs the following activities:
The specific thing about this virus is that it connects to the sever every time one file is encrypted, generates a unique key for that file and sends it to the cyber-crooks. This means that if you have 100 files, it will contact the server 100 times.
The encrypted files by CryPy ransomware are enciphered with a very strong AES (Advanced Encryption Standard) algorithm. They can no longer be opened by any program because their code structure has changed. In addition to this, the virus not only adds it’s distinctive .cry file extension, but it also changes the file names, for example:
This is very similar to other ransomware viruses using the same extensions, such as the Central Security Treatment Organization Ransomware.
After enciphering the files of the infected computer, CryPy ransomware adds a Halloween style picture on the victim’s computer and adds a “README_FOR_DECRYPT.txt” ransom note which it automatically opens. The ransom note has the following message to the victims CryPy:
CryPy Ransomware – Summary, Removal, and File Restoration
In case you want to restore your files, first, it is important to remove the CryPy virus from your computer. To do this, it is strongly advisable to follow the step-by-step instructions below. They are methodologically organized to assist you in removing CryPy ransomware completely from your computer. Furthermore, malware researchers also recommend using an advanced anti-malware software that will assist you into swiftly and automatically erasing all files associated with this malware.
If you are looking for methods to restore .cry encrypted files, at this point, there is no decryptor available for free. However, you can try the alternative methods illustrated in step “3. Restore files encrypted by CryPy” below.
Manually delete CryPy from your computer
Note! Substantial notification about the CryPy threat: Manual removal of CryPy requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove CryPy by downloading an advanced anti-malware program
How to Find Decryption Key for Files Encrypted By CryPy Ransomware
We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how