New PyLocky Ransomware stands out for anti-machine learning capability
13.9.2018 securityaffairs
Ransomware

Security experts from Trend Micro have spotted a new strain of ransomware involved in attacks in July and August, the malicious code was posing as the Locky ransomware.
Researchers at Trend Micro have detected a new ransomware family, dubbed PyLocky, that was used in attacks between July and August, the malware was posing as the Locky ransomware using its ransom note.

PyLocky is written in Python and it is packaged with the PyInstaller tool that is normally used to freeze Python programs into stand-alone executables.

PyLocky stands out for its anti-machine learning capability, it also leverages the open-source script-based Inno Setup Installer.

“In late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware. Although it tries to pass off as Locky in its ransom note, PyLocky is unrelated to Locky.” reads hte analysis published by Trend Micro.

“PyLocky is written in Python, a popular scripting language; and packaged with PyInstaller, a tool used to package Python-based programs as standalone executables.”

Experts warn of its ability to bypass static analysis methods due to the combined use of Inno Setup Installer and PyInstaller.

The PyLocky malware was distributed via spam emails most of which targeted European countries, particularly France.

Experts pointed out the spam campaign started low in volume, but the overall number of spam messages increased in time.

The infections chain sees spam messages distributing PyLocky to recipients luring them with socially engineered subjects. The emails include a link that redirects users to a malicious URL containing the PyLocky components.

“The malicious URL leads to a ZIP file (Facture_23100.31.07.2018.zip) that contains a signed executable (Facture_23100.31.07.2018.exe). When successfully run, the Facture_23100.31.07.2018.exe will drop malware components — several C++ and Python libraries and the Python 2.7 Core dynamic-link library (DLL) — along with the main ransomware executable (lockyfud.exe, which was created via PyInstaller ) in C:\Users\{user}\AppData\Local\Temp\is-{random}.tmp.” states the report.

pylocky ransomware

Once infected a system, PyLocky ransomware attempts to encrypt image, video, document, sound, program, game, database, and archive files, among others.

“PyLocky is configured to encrypt a hardcoded list of file extensions, as shown in Figure 4. PyLocky also abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. ” continues the report.

To avoid analysis tools, such as sandboxes, the maòicious code sleeps for 999,999 seconds, roughly around 11.5 days, if the total visible memory of the infected system is less than 4GB.

The encryption routines are implemented using the PyCrypto library and leverage the 3DES (Triple DES) cipher. PyLocky enumerated logical drives of the hot and generates a list of files that it uses to overwrites each file in the list with an encrypted version.

At the end of the process, the ransomware drops a ransom note that could be in English, French, Korean, or Italian, a circumstance that suggests possible targets of the operators behind the threat.

PyLocky also sends to the command and control (C&C) server information about the infected system.

“PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defence in depth. For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today’s threats, there are different vectors at the attackers’ disposal, which makes a multi-layered approach to security important,” Trend Micro concludes.