Fake Invoice Ransomware Takes Aim at Businesses

An email phishing campaign is making the rounds in Europe which is tricking users into installing a new form of Ransomware called PyLocky. This new strain of ransomware first appeared in July according to researches at Trend Micro. The developers of this malware have actively been targeting victims in different countries with ransom notes available in English, French, Italian, Korean, and more. PyLocky is delivered via a bad link in a phishing email and then a zip file gets downloaded and launched. This zip file places several C++ and Python libraries along with the executable file which gets created on the fly. To avoid detection by AV software, the malware remains dormant for 11 and 1/2 days (999.999 seconds). Once encrypted, PyLocker display’s a ransom note claiming to be Locky ransomware and demands a cryptocurrency payment to restore access to the filesystem. The ransom then doubles every 96 hours. Trend Micro Threats Analyst Ian Kenefick goes on to state that,


“Ransomware written in Python isn’t new — we’ve already seen CryPy (RANSOM_CRYPY.A) in 2016, and Pyl33t (RANSOM_CRYPPYT.A) in 2017 — but PyLocky features anti-machine learningcapability, which makes it notable. Through the combined use of Inno Setup Installer (an open-source script-based installer) and PyInstaller, it posed a challenge to static analysis methods, including machine learning-based solutions — something we have already seen variants of Cerberdo (although Cerber used NullSoft installer).PyLocky’s distribution also appears to be concentrated; we saw several spam emails targeting European countries, particularly France. And though the spam run started out small, its volume and scope eventually increased.”


Related Posts