PyCrypter is a ransomware variant that is written in Python with the source code publicly available. PyCrypter entrenches to automatically run on startup and read web browser data. It will also delete volume shadow copies by using scheduled tasks to ensure all the data cannot be restored easily. Following is the screenshot of the ransom note by PyCrypter Ransomware.
Figure 1: Screenshot of the ransom note
This post serves to inform our customers about detection and protection capabilities within the VMware Carbon Black suite of products against PyCrypter Ransomware.
PyCrypter variants will perform the following behavior:
Figure 2: Event log from Cloud Enterprise EDR (CB ThreatHunter)
Figure 3: Event log from Cloud Enterprise EDR (CB ThreatHunter) displaying PyCrypter appending “.hitman” as file extension onto encrypted files.
Figure 4: Screenshot from PyCrypter created file “runtime.cfg”
dat |
3dm |
3g2 |
rtf |
xltx |
wma |
class |
rar |
keychain |
3ds |
3gp |
tex |
prn |
msi |
cpp |
tar |
sdf |
max |
asf |
wpd |
dif |
php |
cs |
7z |
vcf |
obj |
flv |
wps |
slk |
apk |
h |
cbr |
jpg |
dds |
m4v |
csv |
xlam |
app |
java |
deb |
png |
psd |
mov |
ged |
xla |
bat |
lua |
gz |
tiff |
tga |
mpg |
key |
ods |
cgi |
pl |
pkg |
tif |
thm |
rm |
pps |
docm |
com |
py |
rpm |
gif |
tif |
srt |
ppt |
dotx |
asp |
sh |
zipx |
jpeg |
tiff |
swf |
pptx |
dotm |
aspx |
sln |
iso |
jif |
yuv |
vob |
xml |
xps |
cer |
swift |
ged |
jfif |
ai |
wmv |
json |
ics |
cfm |
vb |
accdb |
jp2 |
eps |
doc |
xlsx |
mp3 |
css |
vcxproj |
db |
jpx |
ps |
docx |
xlsm |
aif |
htm |
dem |
dbf |
j2k |
svg |
txt |
xlsb |
iff |
html |
gam |
mdb |
j2c |
indd |
|
xls |
m3u |
js |
nes |
sql |
fpx |
pct |
log |
mht |
m4a |
jsp |
rom |
fnt |
pcd |
mp4 |
msg |
mhtml |
mid |
rss |
sav |
fon |
bmp |
avi |
odt |
htm |
mpa |
xhtml |
tgz |
otf |
svg |
mkv |
pages |
html |
wav |
c |
zip |
ttf |
cfg |
ini |
prf |
bak |
old |
tmp |
torrent |
Figure 5: Event log from Cloud Enterprise EDR (CB ThreatHunter) showing PyCrypter creating additional files.
The following is a screenshot of Cloud Enterprise EDR (CB ThreatHunter) process chart by PyCrypter.
Figure 6: Process Chart by PyCrypter
In addition, VMware Carbon Black Cloud Endpoint Standard (CB Defense) will display the malware’s overall triggered TTPs.
TID | Tactics | Technique |
---|---|---|
T1045 | Defense Evasion | Software Packing |
T1143 | Defense Evasion | Hidden Window |
T1083 | Discovery | File and Directory Discovery |
T1060 | Persistence | Registry Run Keys / Startup Folder |
T1112 | Defense Evasion | Modify Registry |
T1036 | Defense Evasion | Masquerading |
T1053 | Execution,Privilege Escalation,Persistence | Scheduled Task |
T1119 | Collection | Automated Collection |
T1081 | Credential Access | Credentials in Files |
T1005 | Collection | Data from Local System |
T1486 | Impact | Data Encrypted for Impact |
T1056 | Collection,Credential Access | Input Capture |
T1490 | Impact | Inhibit System Recovery |
T1485 | Impact | Data Destruction |
Indicator | Type | Context |
---|---|---|
4c0424fa3d761aa5bf79e3c61ab5880540d38c4fff7a241b1ef7113e3f1428d3 | SHA 256 | PyCrypter Ransomware |
3682a60045347162d752932e2169a41d | MD5 | PyCrypter Ransomware |
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.