A Closer Look At The Locky Poser, PyLocky Ransomware
(Sep 10, 2018)
A new ransomware feigning to be a Locky ransomware variation, dubbed “PyLocky,” has been seen recently delivering spam emails to distribute ransomware. This campaign was observed targeting French businesses with phishing emails that pretended to be related to invoice receipts. The emails contain a link that, if clicked, will redirect the user to a malicious URL that contains PyLocky. The URL leads to a ZIP file that has a signed executable in it that will run and drop malware components containing several C++ and Python libraries and the Python 2.7 Core dynamic-link library (DLL) with the ransomware executable. This malware then encrypts archive files, databases, documents, images, programs, games, and videos, amongst others. Following encryption, the ransomware displays a ransom note in English, French, Korean, and Italian, suggesting Italian and Korean speakers may also be targets. The ransom note states that users must purchase a decryptor via a Tor browser in order to get their files back, and threatens that the price will increase as time passes. The threat actors allow the users to decrypt one image format file for free to see it is legitimate. PyLocky features anti-machine learning capabilities which makes it more difficult to conduct static analysis of the malware.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Organizations need to use the 3-2-1 rule for backup file storage which is to have at least 3 different copies, on 2 different mediums, with 1 off-site. Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. Symantec also recommends encrypting any sensitive data at rest and in transit to mitigate damage of potential breaches.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.