Decryption Tool Developed by Talos for PyLocky Ransomware

A free decryption tool for recovering files that have been encrypted by the PyLocky has been released by Cisco’s Talos Intelligence Group. Written in python PyLocky is ransomware masquerading as a variant of the Locky ransomware.

According to a statement from Talos said there was one requirement: the tool could be used only in cases where the initial PyLocky command and control traffic of an infected machine had been captured.

“If the initial C2 traffic has not been captured, our decryption tool it will not be able to recover files on an infected machine, this is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process.” said the researcher Mike Bautista, who developed the tool.

When PyLocky runs on an infected machine, it collects all the information about the machine using WMI wrapper, and generates a random user ID and password.

The ransomware also generated a random initialization vector or IV which was base64 encoded and sent to the C2 server along with the system information collected by PyLocky.

Bautista explained how after obtaining the path of every file on the system, the malware calls the encryption algorithm, passing it the IV and password,”

“Each file is first base64-encoded before it is encrypted. The malware appends the extension ‘.lockedfile’ to each file, it encrypts – for example, the file ‘picture.jpg’ would become ‘picture.jpg.lockedfile’. The original file is then overwritten with the attacker’s ransom note.”

He has asked victims/user to abstain from paying any ransom by the developers of PyLocky, because the recovery of files in such malware is bleak.