In the last week of July, we detected a ransomware named Nopyfy in our customer end. In August 2021, Nopyfy ransomware was uploaded to github as an open-source ransomware project. Hackertback, a hacking tools selling website, sells custom versions of Nopyfy Ransomware with setup guide and support.

Figure 1: Open-source files in github

C2 Analysis

The C2 was active during the time of analysis. We got the hardcoded FTP user credentials from the binary. Using the FTP credentials, we got access to the PHP files which were hosted on it. 

Figure 2: Penetrating C2

This got us curious and we started finding ways to get the victim’s details. But we didn’t have the credentials of the login form in the C2 home page and didn’t have access to the MySQL database.  

Figure 3: C2 Homepage

So, we used the FTP access as a backdoor and modified the PHP file to accept our custom set password. After logging into the site we found the victim’s details. On clicking the Search button, it showed the geolocation of the victims using their IP address. 

Figure 4: Victim’s details

Analysis of Binary 

Nopyfy-Ransomware.exe is .NET compiled. On executing, it creates a new directory “Ransomware” and a hidden directory “Your_data” under the folder “C:\<Default_user>\”. It self-copies to Ransomware directory in the name Virus.exe and continues execution.

Figure 5: Moving the source malware file

File Encryption

It then creates a random password of length 10 bytes which is used as the key for the file encryption. 

Figure 6: Random password generation

It starts to encrypt the files of almost all common extensions in the following system default folders Contacts, Desktop, Documents, Downloads, Pictures, Music, OneDrive, Saved Games, Favorites, Searches, Videos, Links in a default user directory. 

It uses an AES encryption algorithm, with a previously generated random password and hard-coded salt value to generate the key for the file encryption. 

Figure 7: AES encryption

It encrypts all the files and saves it with the .locked extension in the same directory. The demo version of this ransomware which was given on Hackertback website uses the .demo extension for encrypted files. The folders that are to be encrypted are customizable.

Figure 8: File encryption

Ransom Note

After encryption of files, it proceeds to threaten the victims with a ransom note in a text file named READ_IT.txt containing the threat actor’s email, name and ransom amount. The text file is copied to all the encrypting directories.

Figure 9: Ransom note

Then it proceeds to collect the system information like computer name, user name, random password (generated earlier), IP address, and Timedatestamp. The information collected is encrypted using DES encryption with a hard-coded 8 byte key, then the resultant output is encoded with base64 and it is added at the end of READ_IT.txt file. It uses this method to store the details of victims, who were not connected to the internet at the time of execution, the threat actor will ask this encoded string for decryption when the user contacts them.

Figure 10: DES encryption

Data Exfiltration 

Once the victim’s data is encrypted, they then proceed to get full control of them. 

Like the previous process, it collects the system information and encrypts it using DES encryption, and encodes it with base64. Then the encoded string is stored in a victim’s computer and sent to the threat actor twice in two different ways. 

Sending via SMTP

It writes the encoded string in the batch file with the filename format <computer name>-PC File-random text.bat under the path of hidden folder C: \<Default_user>\Your_data\

Figure 11: Stores victim’s details

The first method it uses to send the data to the threat actor is via email. The server address, mail’s to and from address, and its password are hard coded. It uses collected system information as a message body and the batch file name as the mail subject. The batch file is self-copied as a backup in the name Send_it.bat to the execution directory. The server address was not valid and we were not able to analyze further regarding the email. 

Sends to C2 server

After sending the mail, it sends the collected information to the C2 server by using the GET method with the target URL hxxp://stefan-borodiydeeltaa[.]epizy[.]com/Server/write.php which is hard coded. 

Figure 12: Sends to C2 server

Informing the Victim

This is the final function of the Nopyfy ransomware, changing the desktop background. It downloads an image from a hard coded URL and sets the image as a background. Based on the desktop background (changed to Ukrainian flag) and the foreground text, we believe that the threat actor(s) are of Ukrainian origin.

Figure 13: Changing desktop background

We at K7 Labs provide detection for Nopyfy ransomware and all the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.

Indicators of Compromise (IOCs)

File NameHashDetection Name
Nopyfy-Ransomware.exeD977FA1A415C4CBFFb5F61FAD13DC6EATrojan (004ddf631)



Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Say NO to Nopyfy!”