Sunday, December 3, 2023

New PyLocky Ransomware Attack on Various Organization that Encrypt More than 100 File Extensions

Newly spreading PyLocky Ransomware widely targeting and attack various organization by evading the security solutions using its sophisticated attack functionality and its activities keep increasing since the last August.

PyLocky mainly targeting European countries, particularly France, Germany and it trying to  compromise the business units to demand the ransom amount.

PyLocky ransomware written in python and packed with PyInstaller which helps to package the python based application as a stand-alone executable.

Unlike other Ransomware, PyLocky contains anti-machine learning capability that makes very difficult for static analyses and its very challenging one for researchers in depth analysis.

Name itself claimed that, this ransomware belongs to Locky which is one of the most destructive malware in history that compromised various sector around the world but it doesn’t have any relation with original Locky ransomware.

Pylocky Ransomware notes are in English, French, Korean, and Italian and also target Korean- and Italian-speaking users.

PyLocky Ransomware Infection process

The initial stage of infection starts with a spam email campaign along with malicious attachment which distributed to the victims and trick them to click the link using social engineering techniques that drop PyLocky.Once click the URL then drops a signed executable (Facture_23100.31.07.2018.exe) that eventually drops the Malware component that also contains the main ransomware executable (lockyfud.exe).

After completing its execution process, PyLocky encrypts more than 100 extension files including image, video, document, sound, program, game, database, and archive files, among others.

.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp, .svg, .3dm, .3ds, .max, .obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov, .mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx, .txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key, .pps, .ppt., .pptx, .xml, .json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods, .docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid, .mpa, .wav, .wma, .msi, .php, .apk, .app, .bat, .cgi, .com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp, .cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb, .vcxproj, .dem, .gam, .nes, .rom, .sav, .tgz, .zip, .rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db, .dbf, .mdb, .sql, .fnt, .fon, .otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent

once it’s complete the encryption process, PyLocky communicates with its command & control server and drops the ransom notes.

According to Trend Micro, its anti-sandbox capability, PyLocky will sleep for 999,999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is less than 4GB. The file encryption routine executes if it is greater than or equal to 4GB.

Meanwhile the execution process of PyLocky, it also abuses Windows Management Instrumentation (WMI) to check the affected system properties along with its anti-sandbox future.

Indicators of Compromise (IoCs):

Hashes detected as RANSOM_PYLOCKY.A (SHA-256):

  • c9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa
  • 1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999

Also Read:

New Ransomware That Encrypts Only EXE Files on Windows Machines

Hackers Launching GandCrab Ransomware via New Fallout Exploit Kit using Malvertising Campaign

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles