# A Closer Look at the Locky Poser, PyLocky Ransomware **[blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/](https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/)** September 10, 2018 _Updated as of September 10, 2018, 6:40 PM PDT to update how PyLocky establishes C&C_ _connection._ [While ransomware has noticeably plateaued in today’s threat landscape, it’s still a](https://www.trendmicro.com/vinfo/tmr/?/us/security/definition/ransomware) [cybercriminal staple. In fact, it saw a slight increase in activity in the first half of 2018,](https://www.trendmicro.com/vinfo/tmr/?/us/security/research-and-analysis/threat-reports/roundup/unseen-threats-imminent-losses) keeping pace by being fine-tuned to evade security solutions, or in the case of PyLocky (detected by Trend Micro as RANSOM_PYLOCKY.A), [imitate established ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/) families and ride on their notoriety. In late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware. Although it tries to pass off as Locky in its ransom note, PyLocky is unrelated to Locky. PyLocky is written in Python, a popular scripting language; and packaged with PyInstaller, a tool used to package Python-based programs as standalone executables. [Ransomware written in Python isn’t new — we’ve already seen CryPy (RANSOM_CRYPY.A)](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/ransomware-recap-sept-9-2016) [in 2016, and Pyl33t (RANSOM_CRYPPYT.A) in 2017 — but PyLocky features anti-machine](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/ransomware-recap-torrentlocker-s-new-tactics) learning capability, which makes it notable. Through the combined use of Inno Setup Installer (an open-source script-based installer) and PyInstaller, it posed a challenge to static analysis methods, including machine learning-based solutions — something we have already seen [variants of Cerber do (although Cerber used NullSoft installer).](https://blog.trendmicro.com/en_us/research/17/c/cerber-starts-evading-machine-learning.html) ----- PyLocky s distribution also appears to be concentrated; we saw several spam emails targeting European countries, particularly France. And though the spam run started out small, its volume and scope eventually increased. _Figure 1: Distribution of PyLocky-related spam runs on August 2 (left) and August 24_ _(right)_ _Figure 2: PyLocky’s ransom note pretending to be the Locky ransomware_ **Infection Chain** On August 2, we detected a spam run distributing PyLocky to French businesses, luring them with socially engineered subject lines such as those related to invoices. The email entices the user to click a link, which redirects users to a malicious URL containing PyLocky. _Figure 3: Spam email with the subject line, “Nous avons reçu votre paiement," which_ _means “We have received your payment”._ The malicious URL leads to a ZIP file (Facture_23100.31.07.2018.zip) that contains a signed executable (Facture_23100.31.07.2018.exe). When successfully run, the _Facture_23100.31.07.2018.exe will drop malware components — several C++ and Python_ libraries and the Python 2.7 Core dynamic-link library (DLL) — along with the main ransomware executable (lockyfud.exe, which was created via PyInstaller ) in C:\Users\ {user}\AppData\Local\Temp\is-{random}.tmp. _Figure 4: The digital signature information of the ZIP file (top), and PyLocky-related_ _malware components (bottom)_ PyLocky encypts image, video, document, sound, program, game, database, and archive files, among others. Here’s a list of file types PyLocky encrypts: _.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp,_ _.svg, .3dm, .3ds, .max, .obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct,_ _.mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov, .mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx,_ _.txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key, .pps, .ppt., .pptx, .xml,_ _.json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods,_ _.docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid, .mpa, .wav, .wma, .msi, .php,_ _.apk, .app, .bat, .cgi, .com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp,_ _.cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb, .vcxproj, .dem, .gam, .nes, .rom, .sav, .tgz, .zip,_ _.rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db, .dbf, .mdb, .sql, .fnt, .fon,_ _.otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent_ ----- _Figure 5: Code snippets showing PyLocky querying system properties (top), and being_ _configured to sleep for a certain time to evade traditional sandbox solutions (bottom)_ **Encryption routine** PyLocky is configured to encrypt a hardcoded list of file extensions. PyLocky also abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. For its anti-sandbox capability, PyLocky will sleep for 999,999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is less than 4GB. The file encryption routine executes if it is greater than or equal to 4GB. After encryption, PyLocky will establish communication with its command-and-control (C&C) server. PyLocky implements its encryption routines using PyCrypto library – using the 3DES (Triple DES) cipher. PyLocky iterates through each logical drive, first generating a list of files before calling the ‘efile’ method, which overwrites each file with an encrypted version, then drops the ransom note. PyLocky’s ransom notes are in English, French, Korean, and Italian, which may suggest that it may also target Korean- and Italian-speaking users. It also sends the affected system’s information to the C&C server via POST. _Figure 6: Code snippets showing PyLocky’s C&C communication (top) and encryption_ _routine (bottom)_ _Figure 7: PyLocky’s ransom notes in different languages_ **Mitigation and Trend Micro Solutions** [PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/security-technology/2017-notably-abused-system-administration-tools-and-protocols) administrators further exemplify the significance of defense in depth. For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today’s threats, there are different vectors at the attackers’ disposal, which [makes a multi-layered approach to security important. Apply best practices:](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/best-practices-ransomware) regularly back [up files, keep the system updated, secure the use of system components, and](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/best-practices-securing-sysadmin-tools) [foster a](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/why-ransomware-works-psychology-and-methods-to-distribute-infect-and-extort) culture of cybersecurity awareness. [Trend Micro XGen™ security provides a cross-generational blend of threat defense](https://blog.trendmicro.com/en_us/business/products/all-solutions.html) [techniques against a full range of threats for data centers,](https://blog.trendmicro.com/en_us/business/products/hybrid-cloud/security-data-center-virtualization.html) [cloud environments,](https://blog.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-migration-security.html) [networks,](https://blog.trendmicro.com/en_us/business/products/network.html) [and endpoints. It features high-fidelity machine learning to secure](https://blog.trendmicro.com/en_us/business/products/user-protection.html) the [gateway and](https://blog.trendmicro.com/en_us/business/products/user-protection/sps.html) [endpoint data and applications, and protects physical, virtual, and cloud](https://blog.trendmicro.com/en_us/business/products/user-protection/sps.html) workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional ----- controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. **Indicators of Compromise (IoCs)** _Hashes detected as RANSOM_PYLOCKY.A (SHA-256):_ c9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa 1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999 _Related hashes (SHA-256):_ e172e4fa621845080893d72ecd0735f9a425a0c7775c7bc95c094ddf73d1f844 (Facture_23100.31.07.2018.zip) 2a244721ff221172edb788715d11008f0ab50ad946592f355ba16ce97a23e055 (Facture_23100.31.07.2018.exe) 87aadc95a8c9740f14b401bd6d7cc5ce2e2b9beec750f32d1d9c858bc101dffa (facture_31254872_18.08.23_{numbers}.exe) _Related malicious URLs:_ hxxps://centredentairenantes[.]fr (C&C server) hxxps://panicpc[.]fr/client[.]php?fac=676171&u=0000EFC90103 hxxps://savigneuxcom[.]securesitefr[.]com/client.php?fac=001838274191030 -----