A new ransomware has been discovered by AVG malware analystÂ @JakubKroustekÂ called HolyCrypt. This ransomware is written in Python and compiled into a Windows executable usingÂ PyInstaller. This allows the developer to distribute all of the necessary Python files as a single executable.
The particular sample that Jakub discovered appears to be a development version used by the malware developer to test the ransomware. Â JakubÂ alsoÂ discovered that this version has a static password ofÂ testÂ that is used to encrypt the files. At this time it is unknown if the password will be dynamically generated in future versions.
How HolyCrypt encrypts a victim’s Data
This version of HolyCrypt will only encrypt files located under the %UserProfile% folder andÂ will only encrypt certain file extensions. These extensions are:
When encrypting a file, HolyCryptÂ will encrypt it using the AES encryption algorithmÂ andÂ will prependÂ (encrypted) stringÂ to the filename. For example, test.jpg would be encrypted asÂ (encrypted)test.jpg.
When done, it will create a alert.jpgÂ file from a base64 encoded string contained in the python script and save it to the same location that the ransomware was executed from. This alert.jpg will then be set as the Windows desktop wallpaper and act as the ransom note.
From the test message in the wallpaper, this ransomware intends to use a TOR payment site for it’s victims. If a TOR payment site is used, then there is a greater chance that the final version will not use a static key, but rather one generated on the TOR payment server. Unfortunately, at this time it is too soon to tell.