Ransomware has posed a significant threat to organizations all over the world, costing millions of dollars in damages and lost revenue. Many of these ransomware operators infiltrate systems, steal sensitive data, and then lock the systems using ransomware. In the past, ransomware attacks have been perpetrated by various groups, including WannaCry and GandCrab, among others. Traditionally, ransomware operators have used custom-written ransomware for their operations, but there has been a noticeable rise in Python-based ransomware variants in recent years.
A recent report by K7 labs found a ransomware sample that was written in Python, which is unusual for this type of malware. The ransomware binary was examined in VirusTotal and was detected by 47 antivirus providers. Additionally, the malicious file was found to be an executable file compiled in C++ and had a PDF icon to hide its true extension. Further analysis revealed the main source code file under the name “grinchv3.pyc”.
The script was written with several lines of code under a single class named “sweet.” The __init__ function performs several functions, including fetching the current user of the victim machine, scanning drive partitions, and determining the type of files to encrypt. The encryption is initiated after adding unlock notes to all the file paths to be encrypted, using the Fernet Python cryptography module. The ransomware then populates a message to be shown to the user after encrypting the files, which are given the extension “.enc” and remain unreadable. The ransom notes include the email address of the attacker to contact for decryption.
K7 Security Labs has published a comprehensive report about this new Python ransomware variant, including detailed information about its source code, encryption methodology, and experimental and behavioral analysis.
Indicators of Compromise for this new Python ransomware variant include the hash C967B8198501E3CE3A0E323B37D94D15, which is related to a Trojan identified as ” 005af6051.”
The rise of Python-based ransomware variants presents a new and evolving threat to organizations and individuals. Due to the nature of its development and the ease with which Python code can be modified, Python ransomware may pose unique challenges for defenders and security researchers trying to mitigate its impact. As this threat continues to evolve, organizations should remain vigilant and implement robust cybersecurity measures to protect their systems and sensitive data.