A new strain of Python-based ransomware has been discovered that appears to be Locky, one of the most widely deployed ransomware variants in 2016. The new ransomware variant has been labelled PyLocky ransomware by security researchers at Trend Micro who have noticed using it in hacking campaigns in Europe, particularly France, throughout July and August.
The spam email campaigns were, at first, sent in comparatively small batches, although over time the volume of emails sharing PyLocky ransomware has surged significantly.
Various social engineering tactics are being employed by the hackers to get the ransomware installed, including fake invoices. The emails identified by Trend Micro have included an embedded hyperlink which sends users to a malicious webpage where a zip file is installed. The zip file includes PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.
If downloaded, PyLocky ransomware will encrypt around 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files saved on all logical drives will be encrypted and the original copies will be replaced. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are not linked. Ransom notes are written in French, English, Korean, and Italian so it is likely that the attacks will become more widespread over the coming days.
While Python is not normally used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been developed. Pyl33t was used in a number of attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant different is its anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.
The ransomware attacks Windows Management Instrumentation (WMI) to figure out the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or greater, the ransomware will execute instantly. If it is lower than 4GB, the ransomware will remain dormant for 11.5 days – an attempt to figure out if it is in a sandbox environment.