Security researchers at Trend Micro have identified a new Python ransomware threat that piggybacks on the success of Locky ransomware. The threat actors behind the ransomware have copied the ransom note used by the gang responsible for Locky. The ransomware note claims files have been encrypted by Locky Locker. Trend Micro have instead named this new ransomware threat PyLocky.
Python is a popular script-writing language, although it is not commonly used for creating ransomware. There have been notable exceptions such as CryPy and Pyl33t which were released in 2016 and 2017 respectively.
What makes the latest Python ransomware variant stand out is its anti-machine learning capabilities. PyLocky combines the Inno Setup installer and PyInstaller which makes it harder to identify the threat using static analysis methods and machine learning-based cybersecurity solutions. Trend Micro notes that similar tactics have been used in certain Cerber ransomware variants.
Pylocky ransomware was first seen in email spam campaigns conducted in July. The campaigns were targeted and relatively small, although throughout July and August, the scale of the campaigns has increased. At first the spam email campaigns were primarily sent in Germany and France, although by the end of August it was French firms that were mostly targeted with France accounting for 63.5% of attacks. A quarter of attacks were conducted in Germany, and 7.5% of attacks were conducted in New Caledonia. Variants of the ransom note have been written in English, Italian and Korean, indicating the attacks may spread to other regions in the near future.
The spam emails used to distribute PyLocky are varied and use social engineering techniques to get end users to visit a malicious URL where a .zip file containing the PyLocky executable file is downloaded.
If that file is run, PyLocky will search for files on all logical drives and will encrypt more than 150 different file types including images files, video files, audio files, Office documents, databases, game files, archives, and system files. Files are encrypted using the triple-DES cipher and the original files are overwritten. As an anti-sandbox protection, PyLocky will sleep for 999,999 seconds if the system has a total memory size of less than 4GB.
There is no free decryptor available that will unlock files encrypted by PyLocky. Recovery without paying the ransom is only possible by restoring files from backups.