11 Jan 2019

PyLocky is a ransomware written in Python that pretends to be as a Locky variant. While infecting a target machine, this ransomware first encrypts all files on and then demands the user for some ransom in order to gain access to their decrypted files.

To fight against this ransomware, Cisco Talos has released a free decryption tool. Those of you whose computers are infected with PyLocky Ransomware and if you are looking for a free decryptor to unlock the files without having to pay the ransom, this is the solution to it.

The decryption tool was released by the security researcher Mike Bautista at the company’s intelligence unit. Even though this decryption tool works for all, there are some limitations. To successfully recover the files, you should have captured the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server, which is normally not done by anyone purposely.

This is because the outbound connection i.e when the ransomware communicates with its C2 server and submit decryption key related information, contains a string that includes both Initialization Vector (IV) and a password, which the ransomware generates randomly to encrypt the files.

PyLocky ransomware was initially found by the researchers at Trend Micro in July last year. Similar to most of the malware campaigns, this ransomware was also spread through spam emails and to trick the victims into running the malicious PyLocky payload.

PyLocky ransomware sleeps for 999,999 seconds or more than 11 and a half days to avoid being detected by sandbox security software if the affected system’s total visible memory size is less than 4GB. The file encryption process takes place if it is greater than or equal to 4GB.

PyLocky ransomware first converts the files into the base64 format and then uses randomly generated Initialization Vector (IV) and password to encrypt all the files on an infected computer. After that it displays a ransom note claiming to be a variant of the Locky ransomware and demands a ransom in cryptocurrency to restore the files. The note also states that the ransom will double every 96 hours if it is not paid early.

PyLocky ransomware decryption tool can be downloaded from GitHub for free and run it on your infected Windows computer.

Every user is highly recommended to follow some preventive measures to protect themselves from being a victim of ransomware.

Beware of Phishing emails: Never click on links contained in a mail received from unknown sources.

Take regular Backups: Always make sure that all your important files and documents are taken backups on a regular basis. Make sure to take the copies and store to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system up-to-date: Always keep your antivirus software and systems updated to protect against threats.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.