HolyCrypt is Python ransomware that was recently discovered by AVG malware analyst Jakub Kroustek. The ransomware is written in Python and amassed into a Windows executable using PyInstaller. The name of the ransomware is delivered from the name of the embedded script, which is “holycrypt-v0.3.py”.
At the current time, the ransomware is rumored to be a development version that is currently being used to test the ransomware.
Like most ransomware, HolyCrypt will encrypt the files on your computer and add a new string to the filenames. It will add (encrypted) to the files it encrypts. For example, image.jpg would become (encrypted)image.jpg.
When the ransomware has finished encrypting files, it will produce an image file named alert.jpg file from a base64 encoded string contained in the python script. It will save the image to the same location that the ransomware was initially executed from. The alert.jpg image file is used to replace your desktop background and contains a ransom note that describes what happened to your files and how to pay the ransom to obtain your private key.