FANDOM


HolyCrypt is a ransomware that encrypts files.

Payload

This ransomware is written in Python and compiled into a Windows executable using PyInstaller. This allows the developer to distribute all of the necessary Python files as a single executable. 

This version of HolyCrypt will only encrypt files located under the %UserProfile% folder and will only encrypt certain file extensions. These extensions are:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, 
.odt, .jpg, .png, .csv, .sql, .mdb, .sln, 
.php, .asp, .aspx, .html, .xml, .psd

When encrypting a file, HolyCrypt will encrypt it using the AES encryption algorithm and will prepend (encrypted) string to the filename. For example, test.jpg would be encrypted as (encrypted)test.jpg.

When done, it will create a alert.jpg file from a base64 encoded string contained in the python script and save it to the same location that the ransomware was executed from.

Community content is available under CC-BY-SA unless otherwise noted.