- PyLocky seems to be targeting European countries, particularly France, and is delivered via invoice-themed spam emails.
- In the ransom note, PyLocky claims claims to be the Locky ransomware.
Security researchers have spotted waves of spam emails over the summer targeting businesses in Europe to deliver a new strain of ransomware named PyLocky. While the ransomware is not related to the infamous Locky , it does attempt to piggyback off of the success of the prolific ransomware.
First spotted in July, PyLocky is written in Python and comes packaged with PyInstaller, a legitimate tool used to bundle Python-based programs as standalone executables.
According to researchers at Trend Micro, the ransomware seems to be targeting European countries, particularly France, and is delivered via invoice-themed spam emails.
The socially engineered emails contain a link that redirects users to a malicious URL. This URL leads to a ZIP file that contains a signed executable which, once run, drops various malware components including several C++ libraries, the Python 2.7 Core dynamic-link library (DLL) and the main ransomware executable into a temporary file.
"PyLocky is configured to encrypt a hardcoded list of file extensions," Trend Micro researchers wrote in a blog post. "PyLocky also abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. For its anti-sandbox capability, PyLocky will sleep for 999.999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is less than 4GB. The file encryption routine executes if it is greater than or equal to 4GB."
Once the encryption process is complete, PyLocky established communication with its command and control server (C&C), implements its encryption routine using PyCrypto library with the 3DES cipher, and relays the stolen information to C2 via POST.
"PyLocky iterates through each logical drive, first generating a list of files before calling the ‘efile’ method, which overwrites each file with an encrypted version, then drops the ransom note," researchers said.
In the ransom note, PyLocky claims claims to be the Locky ransomware. Researchers noted that the ransom notes are written in English, French, Italian and Korean.
"While ransomware has noticeably plateaued in today’s threat landscape, it’s still a cybercriminal staple," researchers said. "PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defense in depth. For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet."