A new ransomware has been discovered by AVG malware analyst @JakubKroustek called HolyCrypt. This ransomware is written in Python and compiled into a Windows executable using PyInstaller. This allows the developer to distribute all of the necessary Python files as a single executable.
The particular sample that Jakub discovered appears to be a development version used by the malware developer to test the ransomware. Jakub also discovered that this version has a static password of test that is used to encrypt the files. At this time it is unknown if the password will be dynamically generated in future versions.
How HolyCrypt encrypts a victim’s Data
This version of HolyCrypt will only encrypt files located under the %UserProfile% folder and will only encrypt certain file extensions. These extensions are:
.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd
When encrypting a file, HolyCrypt will encrypt it using the AES encryption algorithm and will prepend (encrypted) string to the filename. For example, test.jpg would be encrypted as (encrypted)test.jpg.
When done, it will create a alert.jpg file from a base64 encoded string contained in the python script and save it to the same location that the ransomware was executed from. This alert.jpg will then be set as the Windows desktop wallpaper and act as the ransom note.
From the test message in the wallpaper, this ransomware intends to use a TOR payment site for it’s victims. If a TOR payment site is used, then there is a greater chance that the final version will not use a static key, but rather one generated on the TOR payment server. Unfortunately, at this time it is too soon to tell.