Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Microsoft Windows Server 2016 / Windows 10 Multiple Vulnerabilities
September 12, 2018Rewterz Threat Advisory – New ‘Brrr’ Variant of Dharma Ransomware released
September 17, 2018
Socially engineered spam emails have been identified delivering the PyLocky ransomware.
IMPACT: MEDIUM
PUBLISH DATE: 13-09-2018
OVERVIEW
A ransomware has been spotted by TrendMicro in Europe that tends to mimic the Locky ransomware. Named Pylocky, the ransomware features anti-machine learning capability and anti-sandboxing features. Therefore, it becomes notable due to the difficulty in its detection and analysis.
ANALYSIS
PyLocky’s has smart evasion techniques and it abuses legitimate tools that are mainly used by administrators. This makes it a very serious threat. The ransomware is written in Python and packaged with PyInstaller, a tool that turns Python applications into standalone executables.
The ransomware imitates Locky and other known ransomware families but is found unrelated to them. The researchers have also found that it also uses the open-source script-based Inno Setup Installer and can pose a real challenge to static analysis methods.
It was proliferated through socially-engineered malicious emails posing to relate to invoices. When a user follows the instruction to click the attached malicious URLs containing Pylocky, they will be redirected to a URL containing a ZIP file that drops malware components when executed.
The malware components will then proceed to encrypt a total of 150 file types (shown below) including images, videos, documents, sounds, programs, games, databases, archived files and other types of data on a user’s device. PyLocky iterates through each logical drive, generates a list of files, and then overwrites targeted files with an encrypted version.
A hardcoded list of file extensions seems to be the target of encryption for this ransomware. Furthermore, it seems to have been configured to abuse Windows Management Instrumentation (WMI) to check the properties of the affected system.
The ransomware possesses anti-sandbox capabilities that may make it sleep for 999,999 seconds or just over 11.5 days if the total visible memory size of the target system is less than 4GB.
Sand-box evasion techniques of Pylocky
After encrypting a system’s files, it generates an encryption key and proceeds to communicate with its command-and-control (C&C) server. The ransom note then dropped is multilingual, hinting at the broad term usage of this ransomware, finding targets across borders.
INDICATORS OF COMPROMISE
MITIGATION
With so many attack vectors available for the attackers, safeguarding your organization’s assets requires you to establish a multi-layered approach to security. Apply best practices like regularly backing up files, keeping the system updated, securing the use of system components and promoting a culture of cybersecurity awareness. Moreover, the threat indicators may help in blocking out certain security threats if used correctly.