CryPy targets Windows OS and its method of distribution is currently unknown. It encrypts files using AES-256 and renames encrypted files beginning with the letters CRY, followed by a long string of random characters, and appending .cry to the new file name. CryPy’s C2 server is responsible for generating each new file name and a random 32-character password for each encrypted file. This requires CryPy to initiate a connection to the server after each file is encrypted, which delays the encryption process but also protects the keys and the key generation routine from the attacker’s adversaries. The ransom payment amount is currently unknown. CryPy threatens to permanently delete a random file for every six hours the ransom is not paid. After 96 hours, CryPy claims it will permanently delete the decryption keys, making file recovery impossible.


  • Bleeping Computer provides more information about CryPy here.

  • The NJCCIC is not currently aware of any free decryption tools available for CryPy.
Ransomware VariantsNJCCICCryPy