PyLocky Ransomware Source Code Leaked Online

PyLocky Ransomware Source Code Leaked Online

Threat Summary

PyLocky represents a new ransomware strain that was detected in the wild in late July 2018, and whose volume of infections increased throughout the month of August. The malware is usually distributed through malspam emails claiming to link to a fake payment invoice, and it features advanced anti-detection and anti-sandbox capabilities. Notably, infection telemetry data shows that PyLocky mainly targeted France and German cyberspace, but ransom notes also exist in Italian and Korean.

On September 11, 2018, we detected the leakage of PyLocky source code on Pastebin. Thus far, the incident has not received media attention. However, the paste was viewed by over 2,500 users. Therefore, our assessment is that this leakage might lower the barrier to entry for wannabe cybercriminals Click To TweetPossibly leading to an increase in malspam campaigns distributing this malware strain in the future.

PyLocky Ransomware

PyLocky is a new strain of ransomware written in the Python scripting language, and it apparently attempts to exploit the notoriety of the infamous Locky ransomware – one of the most prolific ransomware families in 2017. This expedient is possibly employed to appear as a more substantial threat to victims, despite being totally unrelated to the original Locky ransomware. Reportedly, the malware first appeared in the wild at the end of July 2018, while subsequent distribution campaigns were found to primarily target French and German businesses via weaponized emails in August. Moreover, the ransom note is written in four different languages – French, English, Italian, and Korean – possibly indicating that the malware operators plan to target more geographies in future campaigns.

Figure 1: Telemetry for PyLocky infections registered on August 24. Source: TrendMicro

Telemetry for PyLocky infections registered on August 24. Source: TrendMicro

Attack Vector

The malware is typically distributed through malspam emails, purporting to be payment invoice messages (a prevalent social engineering method used in numerous malspam campaigns), and enticing the victim into clicking on a malicious URL link which, in turn, triggers the infection process.

Figure 2: Example of a weaponized email targeting French users in early August 2018

Notably, the malicious URL leads to a ZIP file containing both malware components and the executable itself. Upon execution, the malware will encrypt a wide list of over 150 hardcoded file extensions, leveraging the PyCrypto library’s 3DES (Triple DES) cipher, thus establishing communication with its C&C server.

Anti-Detection, Anti-Sandbox Capabilities

PyLocky implements an advanced anti-detection capability, using a combination of Inno Setup Installer and PyInstaller, two legitimate open source programs. The technique hinders static malware analysis, as well as machine learning-based AV software. Notably, other ransomware strains, like Cerber, implemented analogous techniques in the past. Furthermore, the malware also features an anti-sandbox capability, remaining inactive for over 11.5 days should it detect that the system’s total visible memory size is smaller than 4GB, a symptom of being in a sandbox environment.

Read the eBook on the top 10 Cyber Threat Intelligence use cases that provide the visibility and proximity required for building a successful, proactive cyber threat intelligence operation.

PyLocky Source Code Leaked on Pastebin

On September 11, 2018 (3:43:21 PM GMT +3), by means of our Dark Alert system, we detected the leakage of PyLocky source code on the Pastebin text-sharing platform. The code was published by an unidentified actor, who accessed the platform as a “Guest,” and was published untitled. The code consists of 226 lines written in Python, and was seen by 3,000 viewers, as of the time of writing.

Figure 3: The paste in which the PyLocky ransomware’s source code was leaked. Source: Verint DarkAlert™

Of note, we did not detect any chatter regarding this leakage on OSINT, or on Dark Web sources that we monitor, apart from an isolated discussion on Reddit, where a link to the original paste was shared within a hacking subreddit. Nonetheless, as analogous past cases suggest (for example, see the Mirai botnet source code leakage in late 2016, which led to devastating DDoS attacks), the introduction of malware source code into the public sphere generally leads to a widespread adoption of the code, or parts of it, by a variety of threat actors. This consequently enables less skilled actors, such as the so-called “script kiddies,” to mount cyber-attacks with relative effortlessness, thus leading to a significant increase in malspam campaigns and infections.

Threat Assessment

In light of the recent source code leakage, the significant visibility the paste accrued, and the absence of an available decryptor for PyLocky at this time, we assess with medium confidence that we will observe a proliferation of this ransomware strain in the future, making it a potential threat to businesses and individuals alike.


Author: Verint Cyber Threat Intelligence Research Team

Verint’s Cyber Threat Intelligence (CTI) research team (formerly SenseCy) is comprised of handpicked expert analysts, many of whom are ex-military intelligence, with years of experience in cyber threat intelligence and analysis. Our research team monitors, analyzes and validates threat actors’ malicious activities on platforms such as social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums, IRC channels, global CVEs and external threat intelligence generated by leading security providers. The Research team regularly produces threat alerts and intelligence reports based on region, industry and organization-specific threats, including in-depth analysis, actionable recommendations, IoCs and more, to proactively identify and mitigate threats before they materialize, to enhance resilience and prevent future attacks