Test subject – PyLocky ransomware
PyLocky is a new ransomware which made its way to the digital world at the end of July, mostly via email campaigns. The core part is written in Python and it is packaged with PyInstaller. Besides the common ransomware-related features, it also exhibits a more complex behavior which prevents or hinders static and dynamic analysis performed by anti-virus products.
It is distributed through email campaigns or bundled alongside legitimate software, made with InnoSetup, so this should serve as a heads-up. Moreover, its main executable is also signed.
It’s also worth mentioning that this malware has nothing to do with the infamous Locky, which was among the first waves of global ransomware attacks a few years back, having a lot of other variants since then.
PyLocky ransomware test facts
Once the initial downloader executes on the target machine, it downloads a few files and then executes them. A noticeable feature is the fact that soon after it starts to run, it checks the total RAM available on the machine, and if the amount is less than 4 GB, then the malware sleeps for approximately 12 days. Consequently, AV engines could have a hard time tracking the real purpose of the program.
Among its initial actions, PyLocky also deletes the Shadow Volume Snapshots, to make sure any usual recovery attempts fail. It’s not among the fastest encrypting ransomware out there, as the entire process takes some time. Regarding the potential damage, it can be very consistent, because the ransomware attacks several types of files including documents, images, videos, archives, databases, installers, and others.
To encrypt files, it uses a Python library which implements the 3DES algorithm, and for each original file, two new files are created. One, which has the “.locky” extension and probably contains the encrypted data, and another, having the original name and extension. The latter is always 6kb, and despite its original extension, it’s a text file, containing the ransom note. The note is translated into a few languages and it’s also dropped as a separate text file in each attacked folders. Reports say that the ransom is usually around few hundred US dollars, but it may be negotiated. We do not encourage anybody to contact the cybercriminals, and as a basic rule, never pay any ransom, as there are no guarantees you will ever recover your files.
PyLocky ransomware test results
TEMASOFT Ranstop detects PyLocky ransomware easily once it starts encrypting files. Upon detection, the user is alerted, and the ransomware process is killed and quarantined. The affected files are automatically restored so that the user doesn’t lose her essential documents.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.