{
	"id": "6c567c3e-b384-480c-85ac-51125a69f356",
	"created_at": "2026-04-10T03:21:03.998768Z",
	"updated_at": "2026-04-10T13:11:49.915456Z",
	"deleted_at": null,
	"sha1_hash": "9001819d3e2f568d3b6382056b91010e50387cdb",
	"title": "Say NO to Nopyfy!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2823334,
	"plain_text": "Say NO to Nopyfy!\r\nPublished: 2022-08-05 · Archived: 2026-04-10 02:45:17 UTC\r\nIn the last week of July, we detected a ransomware named Nopyfy in our customer end. In August 2021, Nopyfy\r\nransomware was uploaded to github as an open-source ransomware project. Hackertback, a hacking tools selling\r\nwebsite, sells custom versions of Nopyfy Ransomware with setup guide and support.\r\nFigure 1: Open-source files in github\r\nC2 Analysis\r\nThe C2 was active during the time of analysis. We got the hardcoded FTP user credentials from the binary. Using\r\nthe FTP credentials, we got access to the PHP files which were hosted on it. \r\nFigure 2: Penetrating C2\r\nhttps://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nPage 1 of 7\n\nThis got us curious and we started finding ways to get the victim’s details. But we didn’t have the credentials of\r\nthe login form in the C2 home page and didn’t have access to the MySQL database.  \r\nFigure 3: C2 Homepage\r\nSo, we used the FTP access as a backdoor and modified the PHP file to accept our custom set password. After\r\nlogging into the site we found the victim’s details. On clicking the Search button, it showed the geolocation of the\r\nvictims using their IP address. \r\nFigure 4: Victim’s details\r\nAnalysis of Binary \r\nNopyfy-Ransomware.exe is .NET compiled. On executing, it creates a new directory “Ransomware” and a\r\nhidden directory “Your_data” under the folder “C:\\\u003cDefault_user\u003e\\”. It self-copies to Ransomware directory in\r\nthe name Virus.exe and continues execution.\r\nhttps://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nPage 2 of 7\n\nFigure 5: Moving the source malware file\r\nFile Encryption\r\nIt then creates a random password of length 10 bytes which is used as the key for the file encryption. \r\nFigure 6: Random password generation\r\nIt starts to encrypt the files of almost all common extensions in the following system default folders Contacts,\r\nDesktop, Documents, Downloads, Pictures, Music, OneDrive, Saved Games, Favorites, Searches, Videos, Links\r\nin a default user directory. \r\nIt uses an AES encryption algorithm, with a previously generated random password and hard-coded salt value to\r\ngenerate the key for the file encryption. \r\nhttps://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nPage 3 of 7\n\nFigure 7: AES encryption\r\nIt encrypts all the files and saves it with the .locked extension in the same directory. The demo version of this\r\nransomware which was given on Hackertback website uses the .demo extension for encrypted files. The folders\r\nthat are to be encrypted are customizable.\r\nFigure 8: File encryption\r\nRansom Note\r\nAfter encryption of files, it proceeds to threaten the victims with a ransom note in a text file named READ_IT.txt\r\ncontaining the threat actor’s email, name and ransom amount. The text file is copied to all the encrypting\r\ndirectories.\r\nhttps://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nPage 4 of 7\n\nFigure 9: Ransom note\r\nThen it proceeds to collect the system information like computer name, user name, random password (generated\r\nearlier), IP address, and Timedatestamp. The information collected is encrypted using DES encryption with a\r\nhard-coded 8 byte key, then the resultant output is encoded with base64 and it is added at the end of READ_IT.txt\r\nfile. It uses this method to store the details of victims, who were not connected to the internet at the time of\r\nexecution, the threat actor will ask this encoded string for decryption when the user contacts them.\r\nFigure 10: DES encryption\r\nData Exfiltration \r\nOnce the victim’s data is encrypted, they then proceed to get full control of them. \r\nLike the previous process, it collects the system information and encrypts it using DES encryption, and encodes it\r\nwith base64. Then the encoded string is stored in a victim’s computer and sent to the threat actor twice in two\r\ndifferent ways. \r\nSending via SMTP\r\nhttps://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nPage 5 of 7\n\nIt writes the encoded string in the batch file with the filename format \u003ccomputer name\u003e-PC File-random\r\ntext.bat under the path of hidden folder C: \\\u003cDefault_user\u003e\\Your_data\\\r\nFigure 11: Stores victim’s details\r\nThe first method it uses to send the data to the threat actor is via email. The server address, mail’s to and from\r\naddress, and its password are hard coded. It uses collected system information as a message body and the batch\r\nfile name as the mail subject. The batch file is self-copied as a backup in the name Send_it.bat to the execution\r\ndirectory. The server address was not valid and we were not able to analyze further regarding the email. \r\nSends to C2 server\r\nAfter sending the mail, it sends the collected information to the C2 server by using the GET method with the\r\ntarget URL hxxp://stefan-borodiydeeltaa[.]epizy[.]com/Server/write.php which is hard coded. \r\nFigure 12: Sends to C2 server\r\nInforming the Victim\r\nThis is the final function of the Nopyfy ransomware, changing the desktop background. It downloads an image\r\nfrom a hard coded URL and sets the image as a background. Based on the desktop background (changed to\r\nhttps://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nPage 6 of 7\n\nUkrainian flag) and the foreground text, we believe that the threat actor(s) are of Ukrainian origin.\r\nFigure 13: Changing desktop background\r\nWe at K7 Labs provide detection for Nopyfy ransomware and all the latest threats. Users are advised to use a\r\nreliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices.\r\nIndicators of Compromise (IOCs)\r\nFile Name Hash Detection Name\r\nNopyfy-Ransomware.exe\r\nD977FA1A415C4CBFFb5F61FAD13DC6EA\r\nTrojan\r\n(004ddf631)\r\nC2\r\nhxxp://stefan-borodiydeeltaa[.]epizy[.]com/Server/index[.]html\r\nSource: https://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nhttps://labs.k7computing.com/index.php/say-no-to-nopyfy/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/say-no-to-nopyfy/"
	],
	"report_names": [
		"say-no-to-nopyfy"
	],
	"threat_actors": [],
	"ts_created_at": 1775791263,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9001819d3e2f568d3b6382056b91010e50387cdb.pdf",
		"text": "https://archive.orkl.eu/9001819d3e2f568d3b6382056b91010e50387cdb.txt",
		"img": "https://archive.orkl.eu/9001819d3e2f568d3b6382056b91010e50387cdb.jpg"
	}
}