Trend Micro researchers spotted a ransomware imitating Locky being spread via spam emails targeting European countries particularly France.
Dubbed “PyLocky,” the malware’s ransom notes are written in English, French, Korean, and Italian while the ransomware itself features anti-machine learning capability making it notable due to its difficulty to analyze and detect posing a challenge to static analysis methods.
The ransomware also has and will sleep for 999,999 seconds or just over 11.5 days if the affected system’s total visible memory size is less than 4GB. After a victim’s files have been encrypted it will then generate an encryption key and establish communication with its command-and-control (C&C) server.
“PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defense in depth,” researchers said in the post. “For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet.”
PyLocky tries to pass itself off as Locky and imitates other established ransomware families to ride on their notoriety, although it is unrelated to the other malware families and is written in Python and packaged with PyInstaller.
Researchers spotted the malware sent in waves of malicious emails designed to lure victims using socially engineered subject lines such as those related to invoices and instructing users to click a malicious URL containing PyLocky.
The URL leads to a ZIP file that when successfully ran, will drop the malware components encrypting images, videos, documents, sounds, programs, games, databases, archived files and other types of data on a user’s device.
The malware is configured to encrypt a hardcoded list of file extensions, as well as to abuse Windows Management Instrumentation (WMI) to check the properties of the affected system.