Thursday, March 28, 2024

New PyLocky Ransomware Attack on Various Organization that Encrypt More than 100 File Extensions

Newly spreading PyLocky Ransomware widely targeting and attack various organization by evading the security solutions using its sophisticated attack functionality and its activities keep increasing since the last August.

PyLocky mainly targeting European countries, particularly France, Germany and it trying to  compromise the business units to demand the ransom amount.

PyLocky ransomware written in python and packed with PyInstaller which helps to package the python based application as a stand-alone executable.

Unlike other Ransomware, PyLocky contains anti-machine learning capability that makes very difficult for static analyses and its very challenging one for researchers in depth analysis.

Name itself claimed that, this ransomware belongs to Locky which is one of the most destructive malware in history that compromised various sector around the world but it doesn’t have any relation with original Locky ransomware.

Pylocky Ransomware notes are in English, French, Korean, and Italian and also target Korean- and Italian-speaking users.

PyLocky Ransomware Infection process

The initial stage of infection starts with a spam email campaign along with malicious attachment which distributed to the victims and trick them to click the link using social engineering techniques that drop PyLocky.Once click the URL then drops a signed executable (Facture_23100.31.07.2018.exe) that eventually drops the Malware component that also contains the main ransomware executable (lockyfud.exe).

After completing its execution process, PyLocky encrypts more than 100 extension files including image, video, document, sound, program, game, database, and archive files, among others.

.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp, .svg, .3dm, .3ds, .max, .obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov, .mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx, .txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key, .pps, .ppt., .pptx, .xml, .json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods, .docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid, .mpa, .wav, .wma, .msi, .php, .apk, .app, .bat, .cgi, .com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp, .cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb, .vcxproj, .dem, .gam, .nes, .rom, .sav, .tgz, .zip, .rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db, .dbf, .mdb, .sql, .fnt, .fon, .otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent

once it’s complete the encryption process, PyLocky communicates with its command & control server and drops the ransom notes.

According to Trend Micro, its anti-sandbox capability, PyLocky will sleep for 999,999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is less than 4GB. The file encryption routine executes if it is greater than or equal to 4GB.

Meanwhile the execution process of PyLocky, it also abuses Windows Management Instrumentation (WMI) to check the affected system properties along with its anti-sandbox future.

Indicators of Compromise (IoCs):

Hashes detected as RANSOM_PYLOCKY.A (SHA-256):

  • c9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa
  • 1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999

Also Read:

New Ransomware That Encrypts Only EXE Files on Windows Machines

Hackers Launching GandCrab Ransomware via New Fallout Exploit Kit using Malvertising Campaign

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles