PyLocky Ransomware

Security researchers at Trend Micro released details about the ransomware known as PyLocky. From the end of July through August, there was a notable increase in spam emails being sent to distribute this malware. The emails make use of social engineering techniques to entice an unsuspecting user into clicking a malicious URL, beginning the infection process, and ultimately downloading the ransomware itself.

Some of the themes observed in the subject line pretend to be legitimate invoices. PyLocky is written in Python and packaged with PyInstaller. As is customary with most ransomware, PyLocky will encrypt a victim’s files and demand that a ransom is paid to unlock them.

PyLocky encypts image, video, document, sound, program, game, database, and archive files, among others. Here’s a list of file types PyLocky encrypts:

.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp, .svg, .3dm, .3ds, .max, .obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov, .mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx, .txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key, .pps, .ppt., .pptx, .xml, .json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods, .docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid, .mpa, .wav, .wma, .msi, .php, .apk, .app, .bat, .cgi, .com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp, .cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb, .vcxproj, .dem, .gam, .nes, .rom, .sav, .tgz, .zip, .rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db, .dbf, .mdb, .sql, .fnt, .fon, .otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent

Checks of one of the domains [] shows as malware.
Encryption Routine

PyLocky is configured to encrypt a hardcoded list of file extensions. PyLocky also abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. For its anti-sandbox capability, PyLocky will sleep for 999,999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is less than 4GB. The file encryption routine executes if it is greater than or equal to 4GB.

After encryption, PyLocky will establish communication with its command-and-control (C&C) server. PyLocky implements its encryption routines using PyCrypto library – using the 3DES (Triple DES) cipher. PyLocky iterates through each logical drive, first generating a list of files before calling the ‘efile’ method, which overwrites each file with an encrypted version, then drops the ransom note.

PyLocky’s ransom notes are in English, French, Korean, and Italian, which may suggest that it may also target Korean- and Italian-speaking users. It also sends the affected system’s information to the C&C server via POST.

It tries to pass off as Locky in its ransom note, but PyLocky is unrelated to Locky.

For full technical details, please read the Trend Micro article here

Indicators of Compromise
PyLocky’s ransom note pretending to be the Locky ransomware

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: