New PyLocky Ransomware Attack on Various Organization that Encrypt More than 100 File Extensions

Newly spreading PyLocky Ransomware widely targeting and attack various organization by evading the security solutions using its sophisticated attack functionality and its activities keep increasing since the last August.

PyLocky mainly targeting European countries, particularly France, Germany and it trying to  compromise the business units to demand the ransom amount.

PyLocky ransomware written in python and packed with PyInstaller which helps to package the python based application as a stand-alone executable.

Unlike other Ransomware, PyLocky contains anti-machine learning capability that makes very difficult for static analyses and its very challenging one for researchers in depth analysis.

Name itself claimed that, this ransomware belongs to Locky which is one of the most destructive malware in history that compromised various sector around the world but it doesn’t have any relation with original Locky ransomware.

Pylocky Ransomware notes are in English, French, Korean, and Italian and also target Korean- and Italian-speaking users.

PyLocky Ransomware Infection process

The initial stage of infection starts with a spam email campaign along with malicious attachment which distributed to the victims and trick them to click the link using social engineering techniques that drop PyLocky.Once click the URL then drops a signed executable (Facture_23100.31.07.2018.exe) that eventually drops the Malware component that also contains the main ransomware executable (lockyfud.exe).

After completing its execution process, PyLocky encrypts more than 100 extension files including image, video, document, sound, program, game, database, and archive files, among others.

.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp, .svg, .3dm, .3ds, .max, .obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov, .mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx, .txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key, .pps, .ppt., .pptx, .xml, .json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods, .docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid, .mpa, .wav, .wma, .msi, .php, .apk, .app, .bat, .cgi, .com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp, .cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb, .vcxproj, .dem, .gam, .nes, .rom, .sav, .tgz, .zip, .rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db, .dbf, .mdb, .sql, .fnt, .fon, .otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent

once it’s complete the encryption process, PyLocky communicates with its command & control server and drops the ransom notes.

According to Trend Micro, its anti-sandbox capability, PyLocky will sleep for 999,999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is less than 4GB. The file encryption routine executes if it is greater than or equal to 4GB.

Meanwhile the execution process of PyLocky, it also abuses Windows Management Instrumentation (WMI) to check the affected system properties along with its anti-sandbox future.

Indicators of Compromise (IoCs):

Hashes detected as RANSOM_PYLOCKY.A (SHA-256):

  • c9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa
  • 1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999

Also Read:

New Ransomware That Encrypts Only EXE Files on Windows Machines

Hackers Launching GandCrab Ransomware via New Fallout Exploit Kit using Malvertising Campaign

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

3 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago