{
	"id": "e7295cc0-c0e7-4b34-bcd5-d733f217dc8b",
	"created_at": "2026-04-06T02:11:10.629571Z",
	"updated_at": "2026-04-10T03:21:04.976737Z",
	"deleted_at": null,
	"sha1_hash": "ec6545f3ccfc8db042ef0ce302af2dd2975dae86",
	"title": "Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 203109,
	"plain_text": "Pylocky Unlocked: Cisco Talos releases PyLocky ransomware\r\ndecryptor\r\nBy Jonathan Munshaw\r\nPublished: 2019-01-10 · Archived: 2026-04-06 01:31:27 UTC\r\nThursday, January 10, 2019 10:56\r\nThis tool was developed by Mike Bautista.\r\nPyLocky is a family of ransomware written in Python that attempts to masquerade as a Locky variant. This\r\nransomware will encrypt all files on a victim machine before demanding that the user pay a ransom to gain access\r\nto their decrypted files. To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our\r\ntool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will\r\nonly work to recover the files on an infected machine where network traffic has been monitored. If the initial C2\r\ntraffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is\r\nbecause the initial callout is used by the malware to send the C2 servers information that it uses in the encryption\r\nprocess.\r\nWhen PyLocky executes, it generates a random user ID and password and gathers information about the infected\r\nmachine using WMI wrappers. It also generates a random initialization vector, or IV, which is then base64\r\nencoded and sent to the C2 server along with the system information the malware has gathered. After obtaining\r\nthe absolute path of every file on the system, the malware then calls the encryption algorithm, passing it the IV\r\nand password. Each file is first base64-encoded before it is encrypted. The malware appends the extension\r\n\".lockedfile\" to each file it encrypts - for example, the file \"picture.jpg\" would become \"picture.jpg.lockedfile.\"\r\nThe original file is then overwritten with the attacker's ransom note.\r\nhttps://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html\r\nPage 1 of 3\n\nExample of a PyLocky ransom note. Talos encourages users never to pay an attacker-demanded ransom, as this\r\nrarely results in the recovery of encrypted files. Rather, victims of this ransomware should restore from backups if\r\ntheir files cannot be decrypted. Just as in the June 2017 Nyetya attack, Talos has observed on numerous occasions\r\nthat attackers who are demanding ransoms may have no way to communicate with victims to provide a decryptor.\r\nOur free decryption tool can be downloaded here.\r\nIndicators of Compromise\r\nDomain Names\r\ncentredentairenantes[.]fr\r\npanicpc[.]fr\r\nsavigneuxcom.securesitefr[.]com\r\nHashes\r\n1569F6FD28C666241902A19B205EE8223D47CCCDD08C92FC35E867C487EBC999\r\n2A244721FF221172EDB788715D11008F0AB50AD946592F355BA16CE97A23E055\r\n87AADC95A8C9740F14B401BD6D7CC5CE2E2B9BEEC750F32D1D9C858BC101DFFA\r\nC9C91B11059BD9AC3A0AD169DEB513CEF38B3D07213A5F916C3698BB4F407FFA\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of this malware.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nhttps://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html\r\nPage 2 of 3\n\nSource: https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html\r\nhttps://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html"
	],
	"report_names": [
		"pylocky-unlocked-cisco-talos-releases.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441470,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec6545f3ccfc8db042ef0ce302af2dd2975dae86.pdf",
		"text": "https://archive.orkl.eu/ec6545f3ccfc8db042ef0ce302af2dd2975dae86.txt",
		"img": "https://archive.orkl.eu/ec6545f3ccfc8db042ef0ce302af2dd2975dae86.jpg"
	}
}