Latest Python Ransomware Threat Identified

Safety scientists at Trend Micro have found a new Python ransomware threat that takes credit on the achievement of Locky ransomware. The threat actors behind the ransomware have mimicked the ransom note utilized by the gang accountable for Locky. The ransomware note declares files have been encrypted by Locky Locker. Trend Micro have instead named this new ransomware threat PyLocky.

Python is a common script-writing language, even though it is not usually used for generating ransomware. There have been remarkable exclusions such as CryPy and Pyl33t which were issued in 2016 and 2017 respectively.

What makes the latest Python ransomware variation to be prominent is its anti-machine learning abilities. PyLocky unites the Inno Setup installer and PyInstaller which makes it tougher to recognize the threat utilizing static analysis techniques and machine learning-based cybersecurity solutions. Trend Micro notices that similar methods have been used in certain Cerber ransomware variations.

Pylocky ransomware was first seen in electronic mail spam campaigns carried out in July. The campaigns were targeted and comparatively small, although all through July and August, the scale of the campaigns has risen. At first, the spam electronic mail campaigns were mainly transmitted in France and Germany, even though by the end of August it was French companies that were mainly targeted with France accounting for 63.5% of attacks. A quarter of attacks were carried out in Germany, and 7.5% of attacks were carried out in New Caledonia. Variations of the ransom note have been written in English, Italian and Korean, showing the attacks may spread to other areas in the near future.

The spam electronic mails utilized to dispense PyLocky are different and use social engineering methods to get end users to visit a malevolent URL where a .zip file having the PyLocky executable file is downloaded.

If that file is run, PyLocky will hunt for files on all logical drives and will encrypt over 150 different file kinds including images files, audio files, Office documents, databases, game files, archives, video files and system files. Files are encrypted utilizing the triple-DES cipher and the original files are overwritten. As an anti-sandbox safety, PyLocky will sleep for 999,999 seconds if the system has a total memory size of less than 4GB.

There is no free decryptor available that will open files encrypted by PyLocky. Recovery without paying the ransom is only possible by reestablishing files from backups.