U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Victims of Pylocky ransomware can decrypt their files for free

Victims of the PyLocky Ransomware can use a tool released by security researcher Mike Bautista at Cisco Talos group to decrypt their files for free. I have good and bad news for the victims of the PyLocky Ransomware. The good news is that security researcher Mike Bautista at Cisco Talos group released a decryption tool […]

PyLocky

Victims of the PyLocky Ransomware can use a tool released by security researcher Mike Bautista at Cisco Talos group to decrypt their files for free.

I have good and bad news for the victims of the PyLocky Ransomware. The good news is that security researcher Mike Bautista at Cisco Talos group released a decryption tool that allows them to decrypt their files for free.

PyLocky Ransomware Decryption Tool Released — Unlock Files For Free

I have good and bad news for the victims of the PyLocky Ransomware. The good news is that security researcher Mike Bautista at Cisco Talos group released a decryption tool that allows them to decrypt their files for free.

The bad is that the recovery of the file is not simple because the decryptor works only if the victims have captured the initial network traffic (PCAP file) between the PyLocky ransomware and the C2 infrastructure.

In this phase, the ransomware sends to the command and control server information on the encryption process, including a string that contains the Initialization Vector (IV) and a random password used by the ransomware to encrypt the files.

“To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored.” reads the post published by Talos.

“If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process “

Each file is encoded in base64 format and then the ransomware uses randomly generated Initialization Vector (IV) and password to encrypt all the files on an infected system.

PyLocky was first spotted by Trend Micro in July 2018, it is written in Python and it is packaged with the PyInstaller tool that is normally used to freeze Python programs into stand-alone executables.
The ransomware was distributed via spam emails most of which targeted European countries, particularly France.

PyLocky stands out for its anti-machine learning capability, it also leverages the open-source script-based Inno Setup Installer.

To avoid analysis tools, such as sandboxes, the maòicious code sleeps for 999,999 seconds, roughly around 11.5 days, if the total visible memory of the infected system is less than 4GB.

The encryption routines are implemented using the PyCrypto library and leverage the 3DES (Triple DES) cipher. PyLocky enumerated logical drives of the hot and generates a list of files that it uses to overwrites each file in the list with an encrypted version.

At the end of the process, the ransomware drops a ransom note that could be in English, French, Korean, or Italian, a circumstance that suggests possible targets of the operators behind the threat.

The malware attempts to masquerade as a Locky variant displaying a ransom note claiming to be a variant of the dreaded ransomware.

PyLocky

The experts published by PyLocky ransomware decryption tool on GitHub.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PyLocky, decryptor tool)

[adrotate banner=”5″] [adrotate banner=”13″]