A nasty virus, called CryPy, reported to use the Python language for it’s script has been detected by malware researchers, using AES-256 cipher to encode files. The encryptes files by this virus have the .cry file extension and in addition to that, the ransomware also changes the file names with random numbers, beginning with the CRY initials. After it’s encryption process is complete, CryPy malware drops a ransom note, called README_FOR_DECRYPT.txt. In this note, the virus also notifies that it will randomly delete a file every 6 hours if a ransom payoff to the cyber-criminals has not been made to restore the files. Anyone whose computer has been attacked by this devastating ransomware virus should not pay any ransom money and immediately remove the CryPy virus using the instructions in this article to avoid further file deletion. Furthermore, instead of paying the ransom, you can counter attack it and try to restore your files using alternative methods such as the ones suggested below.
Follow this article for more information to be updated soon.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key for each file available to the cyber-criminals.|
|Symptoms||CryPy Ransomware leaves a “README_FOR_DECRYPT.txt” ransom note and may delete random files from your computer if the terms in the note are not met. Changed file names and the various file extensions may be used.|
|Detection Tool|| See If Your System Has Been Affected by CryPy |
Malware Removal Tool
|User Experience||Join our forum to Discuss CryPy Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryPy Ransomware – How Does It Perform an Infection
This devastating threat is strongly believed to use a combination of tools that conceal it from any firewall and most conventional antivirus programs on a victim computer. One of those tools may be a malicious e-mail attachment tricking the user into opening it. Such attachments may be fake .PDF or Microsoft Office documents that when opened can cause the infection. The documents seem to be from a legitimate sender, and the e-mail aims to convince the user that they are of an important nature.
But attachments may not be the only method for spreading malicious files. Malicious web links posted on social media and other websites are also reported to cause infections by a drive-by-download after a malicious browser redirect. Such malicious web sites may be presented to the user in the form of an advertisement(malvertising) that is displayed as a pop-up or a direct browser redirect as a result of adware (PUP) installed on the victim’s computer.
CryPy Ransomware In Detail
When CryPy ransomware Is activated on the computer of it’s victim, the ransomware virus is believed to perform several different activities, to collect information about the compromised system and send it to the C&C servers of the virus.
Then the CryPy virus may drop it’s payload by contacting its server and downloading it from there. The payload may be one or more files of the following file types:
After the payload of CryPy has been dropped, the virus may begin to modify numerous of settings, such as modify the Windows Registry Editor so that the malicious executables run on system startup. The usually targeted registry keys for this are:
After this has been conducted, the Virus may begin to encrypt the files on the compromised computer. It may scan for wide variety of file extensions to encrypt but the CryPy ransomware is mainly programmed to scan for and encrypt often used types of files, such as:
All types of documents opened with Microsoft Office, Adobe, Photoshop and other software.
As soon as the virus detects that a file has been found, it performs the following activities:
The specific thing about this virus is that it connects to the sever every time one file is encrypted, generates a unique key for that file and sends it to the cyber-crooks. This means that if you have 100 files, it will contact the server 100 times.
The encrypted files by CryPy ransomware are enciphered with a very strong AES (Advanced Encryption Standard) algorithm. They can no longer be opened by any program because their code structure has changed. In addition to this, the virus not only adds it’s distinctive .cry file extension, but it also changes the file names, for example:
This is very similar to other ransomware viruses using the same extensions, such as the Central Security Treatment Organization Ransomware.
After enciphering the files of the infected computer, CryPy ransomware adds a Halloween style picture on the victim’s computer and adds a “README_FOR_DECRYPT.txt” ransom note which it automatically opens. The ransom note has the following message to the victims CryPy:
CryPy Ransomware – Summary, Removal, and File Restoration
In case you want to restore your files, first, it is important to remove the CryPy virus from your computer. To do this, it is strongly advisable to follow the step-by-step instructions below. They are methodologically organized to assist you in removing CryPy ransomware completely from your computer. Furthermore, malware researchers also recommend using an advanced anti-malware software that will assist you into swiftly and automatically erasing all files associated with this malware.
If you are looking for methods to restore .cry encrypted files, at this point, there is no decryptor available for free. However, you can try the alternative methods illustrated in step “3. Restore files encrypted by CryPy” below.