• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Microsoft Windows Server 2016 / Windows 10 Multiple Vulnerabilities
September 12, 2018
Rewterz Threat Advisory – New ‘Brrr’ Variant of Dharma Ransomware released
September 17, 2018

Rewterz Threat Advisory – PyLocky ransomware using unique evasion tactics

September 13, 2018

Socially engineered spam emails have been identified delivering the PyLocky ransomware.

 

 

IMPACT: MEDIUM

 

PUBLISH DATE: 13-09-2018

 

OVERVIEW

 

A ransomware has been spotted by TrendMicro in Europe that tends to mimic the Locky ransomware. Named Pylocky, the ransomware features anti-machine learning capability and anti-sandboxing features. Therefore, it becomes notable due to the difficulty in its detection and analysis.

 

ANALYSIS

 

PyLocky’s has smart evasion techniques and it abuses legitimate tools that are mainly used by administrators. This makes it a very serious threat. The ransomware is written in Python and packaged with PyInstaller, a tool that turns Python applications into standalone executables.

 

The ransomware imitates Locky and other known ransomware families but is found unrelated to them. The researchers have also found that it also uses the open-source script-based Inno Setup Installer and can pose a real challenge to static analysis methods.

 

It was proliferated through socially-engineered malicious emails posing to relate to invoices. When a user follows the instruction to click the attached malicious URLs containing Pylocky, they will be redirected to a URL containing a ZIP file that drops malware components when executed.

 

The malware components will then proceed to encrypt a total of 150 file types (shown below) including images, videos, documents, sounds, programs, games, databases, archived files and other types of data on a user’s device. PyLocky iterates through each logical drive, generates a list of files, and then overwrites targeted files with an encrypted version.

 

A hardcoded list of file extensions seems to be the target of encryption for this ransomware. Furthermore, it seems to have been configured to abuse Windows Management Instrumentation (WMI) to check the properties of the affected system.

The ransomware possesses anti-sandbox capabilities that may make it sleep for 999,999 seconds or just over 11.5 days if the total visible memory size of the target system is less than 4GB.

 

Sand-box evasion techniques of Pylocky

 

After encrypting a system’s files, it generates an encryption key and proceeds to communicate with its command-and-control (C&C) server. The ransom note then dropped is multilingual, hinting at the broad term usage of this ransomware, finding targets across borders.

 

INDICATORS OF COMPROMISE

 

 

 

 

MITIGATION

 

With so many attack vectors available for the attackers, safeguarding your organization’s assets requires you to establish a multi-layered approach to security. Apply best practices like regularly backing up files, keeping the system updated, securing the use of system components and promoting a culture of cybersecurity awareness. Moreover, the threat indicators may help in blocking out certain security threats if used correctly.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.