#1243108: Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor
PyLocky is a family of ransomware written in Python that attempts to masquerade as a Locky variant. This ransomware will encrypt all files on a victim machine before demanding that the user pay a ransom to gain access to their decrypted files. To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored. If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process.
When PyLocky executes, it generates a random user ID and password and gathers information about the infected machine using WMI wrappers. It also generates a random initialization vector, or IV, which is then base64 encoded and sent to the C2 server along with the system information the malware has gathered. After obtaining the absolute path of every file on the system, the malware then calls the encryption algorithm, passing it the IV and password. Each file is first base64-encoded before it is encrypted. The malware appends the extension ".lockedfile" to each file it encrypts - for example, the file "picture.jpg" would become "picture.jpg.lockedfile." The original file is then overwritten with the attacker's ransom note.
Example of a PyLocky ransom note.
Talos encourages users never to pay an attacker-demanded ransom, as this rarely results in the recovery of encrypted files. Rather, victims of this ransomware should restore from backups if their files cannot be decrypted. Just as in the June 2017 Nyetya attack, Talos has observed on numerous occasions that attackers who are demanding ransoms may have no way to communicate with victims to provide a decryptor. Our free decryption tool can be downloaded here.
|Date added||Jan. 11, 2019, 7:53 a.m.|