Keypoints
- Ransomware was distributed as a Windows executable compiled with Microsoft Visual C++ but contains Python code extracted from grinchv3.pyc.
- The malware copies itself into the user’s Startup folder to achieve persistence across reboots.
- On execution it enumerates drive letters (A:–Z:) and scans directories for target file types to encrypt.
- It drops a ransom note file named “UNLOCK MY FILES.txt” into each scanned directory before encryption.
- Files are encrypted using the Python cryptography module’s Fernet symmetric-key routine and renamed with a .enc extension.
- After encryption the binary shows a popup ransom message repeatedly (ten times) and then enters sleep mode.
MITRE Techniques
- [T1547.001] Boot or Logon Autostart Execution – Malware achieves persistence by copying itself to the user’s Startup folder. (‘self copies itself to the startup folder for persistence’)
- [T1486] Data Encrypted for Impact – The payload encrypts user files using the Fernet symmetric key algorithm and appends a .enc extension. (‘Fernet symmetric key encryption algorithm to encrypt the data’)
- [T1083] File and Directory Discovery – The code scans drive partitions and enumerates directories to locate files to encrypt (A: to Z:). (‘scanning drive partitions (almost it scans for all the drive names starting from A: to Z:)’)
- [T1204.002] User Execution: Malicious File – The executable uses a PDF icon to entice users to run the payload. (‘The PDF icon of the executable file, … may not arouse the suspicion of the user and the user may click the file’)
- [T1036] Masquerading – Uses a legitimate-looking PDF icon and an executable wrapper to disguise the malicious intent. (‘The PDF icon of the executable file, … may not arouse the suspicion of the user’)
Indicators of Compromise
- [File Hash] sample detection – C967B8198501E3CE3A0E323B37D94D15 (reported detection: Trojan (005af6051)).
- [File Name] ransom note / entrypoint – UNLOCK MY FILES.txt (ransom note dropped in directories), grinchv3.pyc (extracted entrypoint module).
- [File Extension] encrypted artifacts – .enc appended to encrypted files (example view shown in analysis).
- [File Path] persistence location – C:UsersUSERAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup (self-copied startup path for persistence).
The technical investigation began by extracting embedded Python code from a Windows executable using pyintextractor, revealing a likely entry module named grinchv3.pyc which was decompiled to .py for review. The executable itself was compiled with Microsoft Visual C++ and used a PDF icon to encourage user execution; once run, the Python code centralizes routines inside a class named “sweet” whose __init__ gathers the current user, configures target file types, and enumerates drive letters A: through Z: to build a list of assets to process.
For persistence the malware copies itself into the user’s Startup folder (the analysis observed placement under the user’s AppData Roaming Start Menu Programs Startup path). Before encrypting, it writes a ransom note file named “UNLOCK MY FILES.txt” into each directory it will process. Encryption uses the Python cryptography library’s Fernet symmetric-key function with a configured key; encrypted files are renamed with an added .enc extension. After completing encryption, the binary displays a popup ransom message repeatedly (ten iterations) and then sleeps.
Experimental execution confirmed the behavior: the sample made itself persistent in the startup folder, renamed target files to include the .enc extension, and left UNLOCK MY FILES.txt ransom notes in affected folders. The published IOC set includes the sample hash C967B8198501E3CE3A0E323B37D94D15 and the filenames noted above, which defenders can use to hunt or block variants.
Read more: https://labs.k7computing.com/index.php/pythons-byte-the-rise-of-scripted-ransomware/