Story image

Cisco Talos releases PyLocky ransomware decryptor - but there's a catch

14 Jan 19

Security firm Cisco Talos has released a free decryption tool for Windows users affected by the PyLocky ransomware – but it won’t work for everyone.

PyLocky is an imitation of the notorious ‘Locky’ ransomware, except it is written in a programming language called Python. The ransomware tries to mimic other ransomware families.
While ransomware is a menace to those who happen to be infected by it, decryption tools can often reverse the damage. In PyLocky’s case Cisco Talos managed to create a decryption tool, but there’s a very big catch.

The tool will only work for those who managed to capture a PCAP of the outbound connection attempt to the ransomware’s command & control servers – a connection that happens mere seconds after the infection.
In a nutshell, the PyLocky ransomware decryptor will only work on machines that have network traffic monitoring capabilities.

According to Cisco Talos, PyLocky generates a random user ID and password when it executes. It also gathers information about the infected machine by using WMI wrappers.

"After obtaining the absolute path of every file on the system, the malware then calls the encryption algorithm, passing it the IV and password.”

Each file is first base64-encoded before it is encrypted. The malware appends the extension ".lockedfile" to each file it encrypts - for example, the file "picture.jpg" would become "picture.jpg.lockedfile." 

Each file is then overwritten with a ransom demand.

For those victims who do use network monitoring software, they just need to download the decryptor to their infected machine, download WinPcap, specify the PCAP file with IV and password, and wait for the decryptor to do its thing. The company says that during its testing phase, the decryptor was able to recover three infected systems, however very large files 4GB and over may not be able to be decrypted.

The company says the decryptor is built for use on Windows systems and takes no responsibility for misuse of the decryptor tool.

“Talos encourages users never to pay an attacker-demanded ransom, as this rarely results in the recovery of encrypted files. Rather, victims of this ransomware should restore from backups if their files cannot be decrypted. Just as in the June 2017 Nyetya attack, Talos has observed on numerous occasions that attackers who are demanding ransoms may have no way to communicate with victims to provide a decryptor,” says Cisco Talos.
 

Comms providers hit by most DDoS attacks in Q3 2018
New data indicates attackers preyed on the large attack surface of ASN-level communications service providers with a ‘bit-and-piece’ approach.
Check Point launches hyperscale network security solution
With Check Point Maestro, organisations can scale up their existing Check Point security gateways on demand.
Should AI technology determine the necessity for cyber attack responses?
Fujitsu has developed an AI that supposedly automatically determines whether action needs to be taken in response to a cyber attack.
Trend Micro’s telecom security solution certified as VMware-ready
Certification by VMware allows communications service providers who prefer or have already adopted VMware vCloud NFV to add network security services from Trend Micro.
Frost & Sullivan honours Honeywell's IIoT value creation
Frost & Sullivan has awarded Honeywell with the 2018 Global Customer Value Leadership Award for its work protecting industrial internet of things (IIoT) customers.
Top cybersecurity threats of 2019 – Carbon Black
Carbon Black chief cybersecurity officer Tom Kellermann combines his thoughts with those of Carbon Black's threat analysts and security strategists.
Google's €50m fine a wake up call for big data analytics
Data analytics are essential to company growth, competitive differentiation, and innovation. But there’s now a huge challenge.
UK security startup Barac sets sights on America
“Malware hidden in encrypted traffic is one of the biggest threats organisations are facing today,” says new EVP global sales.