{
	"id": "99b00f99-98f9-45a1-9485-05d61a306c9b",
	"created_at": "2026-04-06T00:21:08.68363Z",
	"updated_at": "2026-04-10T13:12:17.725392Z",
	"deleted_at": null,
	"sha1_hash": "612a3b291831f7e294e712e83edce0c53b6280ee",
	"title": "A Closer Look at the Locky Poser, PyLocky Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79654,
	"plain_text": "A Closer Look at the Locky Poser, PyLocky Ransomware\r\nBy Ian Kenefick, Mary Yambao, Alvin Nieto, Kerr Ang ( words)\r\nPublished: 2018-09-10 · Archived: 2026-04-05 23:04:51 UTC\r\nUpdated as of September 10, 2018, 6:40 PM PDT to update how PyLocky establishes C\u0026C connection.\r\nWhile ransomware has noticeably plateaued in today’s threat landscape, it’s still a cybercriminal staple. In fact, it\r\nsaw a slight increase in activity in the first half of 2018, keeping pace by being fine-tuned to evade security\r\nsolutions, or in the case of PyLocky (detected by Trend Micro as RANSOM_PYLOCKY.A), imitate established\r\nransomwareopen on a new tab families and ride on their notoriety.\r\nIn late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware.\r\nAlthough it tries to pass off as Locky in its ransom note, PyLocky is unrelated to Locky.open on a new tab\r\nPyLocky is written in Python, a popular scripting language; and packaged with PyInstaller, a tool used to package\r\nPython-based programs as standalone executables.\r\nRansomware written in Python isn’t new — we’ve already seen CryPynews- cybercrime-and-digital-threats\r\n(RANSOM_CRYPY.A) in 2016, and Pyl33tnews- cybercrime-and-digital-threats (RANSOM_CRYPPYT.A) in\r\n2017 — but PyLocky features anti-machine learning capability, which makes it notable. Through the combined\r\nuse of Inno Setup Installer (an open-source script-based installer) and PyInstaller, it posed a challenge to static\r\nanalysis methods, including machine learning-based solutions — something we have already seen variants of\r\nCerber do (although Cerber used NullSoft installer).\r\nPyLocky’s distribution also appears to be concentrated; we saw several spam emails targeting European countries,\r\nparticularly France. And though the spam run started out small, its volume and scope eventually increased.\r\nintelFigure 1: Distribution of PyLocky-related spam runs on August 2 (left) and August 24 (right)\r\nintel\r\nFigure 2: PyLocky’s ransom note pretending to be the Locky ransomware\r\nInfection Chain\r\nOn August 2, we detected a spam run distributing PyLocky to French businesses, luring them with socially\r\nengineered subject lines such as those related to invoices. The email entices the user to click a link, which\r\nredirects users to a malicious URL containing PyLocky.\r\nintelFigure 3: Spam email with the subject line, “Nous avons reçu votre paiement,\" which means “We have\r\nreceived your payment”.\r\nThe malicious URL leads to a ZIP file (Facture_23100.31.07.2018.zip) that contains a signed executable\r\n(Facture_23100.31.07.2018.exe). When successfully run, the Facture_23100.31.07.2018.exe will drop malware\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/\r\nPage 1 of 3\n\ncomponents — several C++  and Python libraries and the Python 2.7 Core dynamic-link library (DLL) — along\r\nwith the main ransomware executable (lockyfud.exe, which was created via PyInstaller ) in C:\\Users\\\r\n{user}\\AppData\\Local\\Temp\\is-{random}.tmp.\r\nintel\r\nintelFigure 4: The digital signature information of the ZIP file (top), and PyLocky-related malware components\r\n(bottom)\r\nPyLocky encypts image, video, document, sound, program, game, database, and archive files, among others.\r\nHere’s a list of file types PyLocky encrypts:\r\n.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp, .svg, .3dm, .3ds, .max,\r\n.obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov,\r\n.mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx, .txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key,\r\n.pps, .ppt., .pptx, .xml, .json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods,\r\n.docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid, .mpa, .wav, .wma, .msi, .php, .apk, .app, .bat, .cgi,\r\n.com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp, .cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb,\r\n.vcxproj, .dem, .gam, .nes, .rom, .sav, .tgz, .zip, .rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db,\r\n.dbf, .mdb, .sql, .fnt, .fon, .otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent\r\nintel\r\nFigure 5: Code snippets showing PyLocky querying system properties (top), and being configured to sleep for a\r\ncertain time to evade traditional sandbox solutions  (bottom)\r\nEncryption routine\r\nPyLocky is configured to encrypt a hardcoded list of file extensions. PyLocky also abuses Windows Management\r\nInstrumentation (WMI) to check the properties of the affected system. For its anti-sandbox capability, PyLocky\r\nwill sleep for 999,999 seconds — or just over 11.5 days — if the affected system’s total visible memory size is\r\nless than 4GB. The file encryption routine executes if it is greater than or equal to 4GB.\r\nAfter encryption, PyLocky will establish communication with its command-and-control (C\u0026C) server. PyLocky\r\nimplements its encryption routines using PyCrypto library – using the 3DES (Triple DES) cipher. PyLocky\r\niterates through each logical drive, first generating a list of files before calling the ‘efile’ method, which\r\noverwrites each file with an encrypted version, then drops the ransom note.\r\nPyLocky’s ransom notes are in English, French, Korean, and Italian, which may suggest that it may also target\r\nKorean- and Italian-speaking users. It also sends the affected system’s information to the C\u0026C server via POST.\r\nintel\r\nintelFigure 6: Code snippets showing PyLocky’s C\u0026C communication (top) and encryption routine (bottom)\r\nintelFigure 7: PyLocky’s ransom notes in different languages\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/\r\nPage 2 of 3\n\nMitigation and Trend Micro Solutions\r\nPyLocky’s evasion techniques and abuse of legitimate toolsnews article typically reserved to administrators\r\nfurther exemplify the significance of defense in depth. For instance, machine learning is a valuable cybersecurity\r\ntool in detecting unique malware, but it is not a silver bullet. With today’s threats, there are different vectors at the\r\nattackers’ disposal, which makes a multi-layered approach to security important. Apply best practicesnews-cybercrime-and-digital-threats: regularly back up filesnews article, keep the system updated, securenews-cybercrime-and-digital-threats the use of system components, and fosternews- cybercrime-and-digital-threats a\r\nculture of cybersecurity awareness.\r\nTrend Micro XGen™ securityproducts provides a cross-generational blend of threat defense techniques against a\r\nfull range of threats for data centersproducts, cloud environmentsproducts, networksproducts,\r\nand endpointsproducts. It features high-fidelity machine learning to secure\r\nthe gatewayproducts and endpointproducts data and applications, and protects physical, virtual, and cloud\r\nworkloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™\r\nprotects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or\r\nundisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and\r\nconnected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and\r\nNetwork Defense.\r\nIndicators of Compromise (IoCs)\r\nHashes detected as RANSOM_PYLOCKY.A (SHA-256):\r\nc9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa\r\n1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999\r\nRelated hashes (SHA-256):\r\ne172e4fa621845080893d72ecd0735f9a425a0c7775c7bc95c094ddf73d1f844\r\n(Facture_23100.31.07.2018.zip)\r\n2a244721ff221172edb788715d11008f0ab50ad946592f355ba16ce97a23e055\r\n(Facture_23100.31.07.2018.exe)\r\n87aadc95a8c9740f14b401bd6d7cc5ce2e2b9beec750f32d1d9c858bc101dffa\r\n(facture_31254872_18.08.23_{numbers}.exe)\r\nRelated malicious URLs:\r\nhxxps://centredentairenantes[.]fr (C\u0026C server)\r\nhxxps://panicpc[.]fr/client[.]php?fac=676171\u0026u=0000EFC90103\r\nhxxps://savigneuxcom[.]securesitefr[.]com/client.php?fac=001838274191030\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/"
	],
	"report_names": [
		"a-closer-look-at-the-locky-poser-pylocky-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434868,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/612a3b291831f7e294e712e83edce0c53b6280ee.pdf",
		"text": "https://archive.orkl.eu/612a3b291831f7e294e712e83edce0c53b6280ee.txt",
		"img": "https://archive.orkl.eu/612a3b291831f7e294e712e83edce0c53b6280ee.jpg"
	}
}