PizzaRansom received its name from the source code path found in the strings of the sample. In other words, the authors themselves surmised the name PizzaRansom. However, the researcher who discovered it, @siri_urz (Twitter), aptly dubbed it PizzaCrypt. To keep to the original name and not confuse it with another ransomware with a similar name - PizzaCrypts (notice the extra 's' on the end), we kept the name PizzaRansom and gave it the alias PizzaCrypt.
This ransomware was written in C# (.NET) and is not obfuscated. As such, we examined the source code of the sample and noticed that it used the rijndaeldManaged library to create an encryption routine using AES-256 in CFB mode. Encrypted files are given the file extension '.pizza,' and the ransomware drops a ransom note named README.txt. The ransom note gives away a lot of information without saying much. It's apparent from the extortion request that this was an early iteration of another ransomware or written as a joke/for fun. You can view the ransom note below.
