PyLocky Ransomware Source Code Leaked Online
PyLocky represents a new ransomware strain that was detected in the wild in late July 2018, and whose volume of infections increased throughout the month of August. The malware is usually distributed through malspam emails claiming to link to a fake payment invoice, and it features advanced anti-detection and anti-sandbox capabilities. Notably, infection telemetry data shows that PyLocky mainly targeted France and German cyberspace, but ransom notes also exist in Italian and Korean.
On September 11, 2018, we detected the leakage of PyLocky source code on Pastebin. Thus far, the incident has not received media attention. However, the paste was viewed by over 2,500 users. Therefore, our assessment is that this leakage might lower the barrier to entry for wannabe cybercriminals Click To TweetPossibly leading to an increase in malspam campaigns distributing this malware strain in the future.
PyLocky is a new strain of ransomware written in the Python scripting language, and it apparently attempts to exploit the notoriety of the infamous Locky ransomware – one of the most prolific ransomware families in 2017. This expedient is possibly employed to appear as a more substantial threat to victims, despite being totally unrelated to the original Locky ransomware. Reportedly, the malware first appeared in the wild at the end of July 2018, while subsequent distribution campaigns were found to primarily target French and German businesses via weaponized emails in August. Moreover, the ransom note is written in four different languages – French, English, Italian, and Korean – possibly indicating that the malware operators plan to target more geographies in future campaigns.
Figure 1: Telemetry for PyLocky infections registered on August 24. Source: TrendMicro
The malware is typically distributed through malspam emails, purporting to be payment invoice messages (a prevalent social engineering method used in numerous malspam campaigns), and enticing the victim into clicking on a malicious URL link which, in turn, triggers the infection process.
Figure 2: Example of a weaponized email targeting French users in early August 2018
Anti-Detection, Anti-Sandbox Capabilities
PyLocky implements an advanced anti-detection capability, using a combination of Inno Setup Installer and PyInstaller, two legitimate open source programs. The technique hinders static malware analysis, as well as machine learning-based AV software. Notably, other ransomware strains, like Cerber, implemented analogous techniques in the past. Furthermore, the malware also features an anti-sandbox capability, remaining inactive for over 11.5 days should it detect that the system’s total visible memory size is smaller than 4GB, a symptom of being in a sandbox environment.
PyLocky Source Code Leaked on Pastebin
On September 11, 2018 (3:43:21 PM GMT +3), by means of our Dark Alert system, we detected the leakage of PyLocky source code on the Pastebin text-sharing platform. The code was published by an unidentified actor, who accessed the platform as a “Guest,” and was published untitled. The code consists of 226 lines written in Python, and was seen by 3,000 viewers, as of the time of writing.
Figure 3: The paste in which the PyLocky ransomware’s source code was leaked. Source: Verint DarkAlert™
In light of the recent source code leakage, the significant visibility the paste accrued, and the absence of an available decryptor for PyLocky at this time, we assess with medium confidence that we will observe a proliferation of this ransomware strain in the future, making it a potential threat to businesses and individuals alike.
Author: Verint Cyber Threat Intelligence Research Team
Verint’s Cyber Threat Intelligence (CTI) research team (formerly SenseCy) is comprised of handpicked expert analysts, many of whom are ex-military intelligence, with years of experience in cyber threat intelligence and analysis.
Our research team monitors, analyzes and validates threat actors’ malicious activities on platforms such as social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums, IRC channels, global CVEs and external threat intelligence generated by leading security providers. The Research team regularly produces threat alerts and intelligence reports based on region, industry and organization-specific threats, including in-depth analysis, actionable recommendations, IoCs and more, to proactively identify and mitigate threats before they materialize, to enhance resilience and prevent future attacks