Socially engineered spam emails have been identified delivering the PyLocky ransomware.
PUBLISH DATE: 13-09-2018
A ransomware has been spotted by TrendMicro in Europe that tends to mimic the Locky ransomware. Named Pylocky, the ransomware features anti-machine learning capability and anti-sandboxing features. Therefore, it becomes notable due to the difficulty in its detection and analysis.
PyLocky’s has smart evasion techniques and it abuses legitimate tools that are mainly used by administrators. This makes it a very serious threat. The ransomware is written in Python and packaged with PyInstaller, a tool that turns Python applications into standalone executables.
The ransomware imitates Locky and other known ransomware families but is found unrelated to them. The researchers have also found that it also uses the open-source script-based Inno Setup Installer and can pose a real challenge to static analysis methods.
It was proliferated through socially-engineered malicious emails posing to relate to invoices. When a user follows the instruction to click the attached malicious URLs containing Pylocky, they will be redirected to a URL containing a ZIP file that drops malware components when executed.
The malware components will then proceed to encrypt a total of 150 file types (shown below) including images, videos, documents, sounds, programs, games, databases, archived files and other types of data on a user’s device. PyLocky iterates through each logical drive, generates a list of files, and then overwrites targeted files with an encrypted version.
A hardcoded list of file extensions seems to be the target of encryption for this ransomware. Furthermore, it seems to have been configured to abuse Windows Management Instrumentation (WMI) to check the properties of the affected system.
The ransomware possesses anti-sandbox capabilities that may make it sleep for 999,999 seconds or just over 11.5 days if the total visible memory size of the target system is less than 4GB.
After encrypting a system’s files, it generates an encryption key and proceeds to communicate with its command-and-control (C&C) server. The ransom note then dropped is multilingual, hinting at the broad term usage of this ransomware, finding targets across borders.
INDICATORS OF COMPROMISE
With so many attack vectors available for the attackers, safeguarding your organization’s assets requires you to establish a multi-layered approach to security. Apply best practices like regularly backing up files, keeping the system updated, securing the use of system components and promoting a culture of cybersecurity awareness. Moreover, the threat indicators may help in blocking out certain security threats if used correctly.