Security experts at Trend Micro have found a new Ransomware strain named PyLocky which has been involved in attacks between July and August of this year. The malware poses as Locky Ransomware by issuing a seemingly similar ransom note to affected victims. The Ransomware is written in Python and uses PyInstaller to act as a standalone application.
How does it convert the Python Scripts into the executables?
The PyInstaller converts the Python Scripts into a Standalone executable, this is unique from other ransomware as it has Anti-Machine Learning Capabilities and also uses an open-source script called Inno Setup Installer.
How is the ransomware spreading?
The aim of the ransomware is to bypass static analysis methods using the Inno Setup Installer and PyInstaller which makes it more dangerous. The ransomware was mostly designed to target the population in Europe and France and it is distributed using spam campaigns while the spam messages have started low in volume they have increased over time.
PyLocky tries to encrypt the Image, Video, Documents, Sound, Applications, Database and Archive Files before displaying the ransom note. The ransomware is configured to encrypt a hardcoded list of file types, PyLocky also abuses Windows Management Instrumentation (WMI) to check the attributes of the affected system.
How does the Ransomware Work?
The ransomware sleeps for 999,999 seconds approximately 11.5 days before it starts the encryption process in the victim’s computer. The ransomware uses the 3DES (Triple DES) cypher which is already included in the PyCrypto Library which generates a list of files that are encrypted, the ransomware then uses these files to overwrite the original ones. Furthermore the list of affected systems are sent to the Command and Control server which is controlled by the hackers.