New PyLocky Ransomware Attack on Various Organization that Encrypt More than 100 File Extensions

Newly spreading PyLocky Ransomware widely targeting and attack various organization by evading the security solutions using its sophisticated attack functionality and its activities keep increasing since the last August.

PyLocky mainly targeting European countries, particularly France, Germany and it trying to  compromise the business units to demand the ransom amount.

PyLocky ransomware written in python and packed with PyInstaller which helps to package the python based application as a stand-alone executable.

Unlike other Ransomware, PyLocky contains anti-machine learning capability that makes very difficult for static analyses and its very challenging one for researchers in depth analysis.

Name itself claimed that, this ransomware belongs to Locky which is one of the most destructive malware in history that compromised various sector around the world but it doesn’t have any relation with original Locky ransomware.

Pylocky Ransomware notes are in English, French, Korean, and Italian and also target Korean- and Italian-speaking users.

PyLocky Ransomware Infection process

The initial stage of infection starts with a spam email campaign along with malicious attachment which distributed to the victims and trick them to click the link using social engineering techniques that drop PyLocky.Once click the URL then drops a signed executable (Facture_23100.31.07.2018.exe) that eventually drops the Malware component that also contains the main ransomware executable (lockyfud.exe).

After completing its execution process, PyLocky encrypts more than 100 extension files including image, video, document, sound, program, game, database, and archive files, among others.

.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp, .svg, .3dm, .3ds, .max, .obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov, .mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx, .txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key, .pps, .ppt., .pptx, .xml, .json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods, .docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid, .mpa, .wav, .wma, .msi, .php, .apk, .app, .bat, .cgi, .com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp, .cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb, .vcxproj, .dem, .gam, .nes, .rom, .sav, .tgz, .zip, .rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db, .dbf, .mdb, .sql, .fnt, .fon, .otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent

once it’s complete the encryption process, PyLocky communicates with its command & control server and drops the ransom notes.

According to Trend Micro, its anti-sandbox capability, PyLocky will sleep for 999,999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is less than 4GB. The file encryption routine executes if it is greater than or equal to 4GB.

Meanwhile the execution process of PyLocky, it also abuses Windows Management Instrumentation (WMI) to check the affected system properties along with its anti-sandbox future.

Indicators of Compromise (IoCs):

Hashes detected as RANSOM_PYLOCKY.A (SHA-256):

  • c9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa
  • 1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999

Also Read:

New Ransomware That Encrypts Only EXE Files on Windows Machines

Hackers Launching GandCrab Ransomware via New Fallout Exploit Kit using Malvertising Campaign

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range of…

13 hours ago

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…

22 hours ago

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious…

23 hours ago

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in…

1 day ago

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…

1 day ago

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…

1 day ago