HolyCrypt is a ransomware that encrypts files.
This ransomware is written in Python and compiled into a Windows executable using PyInstaller. This allows the developer to distribute all of the necessary Python files as a single executable.
This version of HolyCrypt will only encrypt files located under the %UserProfile% folder and will only encrypt certain file extensions. These extensions are:
.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd
When encrypting a file, HolyCrypt will encrypt it using the AES encryption algorithm and will prepend (encrypted) string to the filename. For example, test.jpg would be encrypted as (encrypted)test.jpg.
When done, it will create a alert.jpg file from a base64 encoded string contained in the python script and save it to the same location that the ransomware was executed from.