Jump to content

PyLocky Ransomware Decryption Tool Released — Unlock Files For Free


The AchieVer

Recommended Posts

PyLocky Ransomware Decryption Tool Released — Unlock Files For Free

 
 
PyLocky free ransomware decryptor
If your computer has been infected with PyLocky Ransomware and you are searching for a free ransomware decryption tool to unlock or decrypt your files—your search might end here.

Security researcher Mike Bautista at Cisco's Talos cyber intelligence unit have released a free decryption tool that makes it possible for victims infected with the PyLocky ransomware to unlock their encrypted files for free without paying any ransom.

The decryption tool works for everyone, but it has a huge limitation—to successfully recover your files, you must have captured the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server, which generally nobody purposely does.

This is because the outbound connection—when the ransomware communicates with its C2 server and submit decryption key related information—contains a string that includes both Initialization Vector (IV) and a password, which the ransomware generates randomly to encrypt the files.
 
"If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process," the researcher explain.

First spotted by researchers at Trend Micro in July last year, PyLocky ransomware found spreading through spam emails, like most malware campaigns, designed to trick victims into running the malicious PyLocky payload.
pylocky ransomware note
To avoid detection by sandbox security software, the PyLocky ransomware sleeps for 999.999 seconds—or just over 11 and a half days—if the affected system's total visible memory size is less than 4GB. The file encryption process only executes if it is greater than or equal to 4GB.

Written in python and packaged with PyInstaller, PyLocky ransomware first converts each file into the base64 format and then uses randomly generated Initialization Vector (IV) and password to encrypt all the files on an infected computer.
 


Once a computer is encrypted, PyLocky displays a ransom note claiming to be a variant of the well-known Locky ransomwareand demands a ransom in cryptocurrency to "restore" the files.

The note also claims to double the ransom every 96 hours if they don't pay to scare victims into paying up the ransom sooner rather than later.

PyLocky primarily targeted businesses in Europe, particularly in France, though the ransom notes were written in English, French, Korean, and Italian, which suggested that it may also have targeted Korean- and Italian-speaking users.

You can download the PyLocky ransomware decryption tool from GitHub for free and run it on your infected Windows computer.

Though ransomware may not be as high profile as the LockyWannaCryNotPetya, and LeakerLocker widespread 2017 ransomware attacks, both individuals and enterprises are strongly recommended to follow below-mentioned prevention measures to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system up-to-date: Always keep your antivirus software and systems updated to protect against latest threats. 

 

 

Source

Link to comment
Share on other sites


  • Replies 7
  • Views 702
  • Created
  • Last Reply

This is one of the best news for everybody. It is a petty that it appears after I got all my files and backup encrypted last month.

I learned the hard way that the best prevention is as written above:

 

Beware of Phishing emails: Always be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.
 

 

 

Link to comment
Share on other sites


Please explain procedure for capture. Wireshark capturing all traffic?

1 hour ago, The AchieVer said:

The decryption tool works for everyone, but it has a huge limitation—to successfully recover your files, you must have captured the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server, which generally nobody purposely does.

 

Link to comment
Share on other sites


10 minutes ago, jabrwky said:

Please explain procedure for capture. Wireshark capturing all traffic?

 

In this phase, the ransomware sends to the command and control server information on the encryption process, including a string that contains the Initialization Vector (IV) and a random password used by the ransomware to encrypt the files.

Link to comment
Share on other sites


For those who do not understand how...

1 hour ago, The AchieVer said:

the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server

Precisely when and how is this captured?

Link to comment
Share on other sites


Unfortunately, I do not possess that expertise.

 

kindly refer to:

 

https://security.stackexchange.com/questions/177787/detecting-c2-traffic-over-dns

 

The simplest way is to avoid opening any unknown links.

 

Regards

Link to comment
Share on other sites


10 minutes ago, The AchieVer said:

"The simplest way is to avoid opening any unknown links."  -- Yes.

Sonicwall, Snort, pcap software like Wireshark can reveal DNS spoofs & malicious traffic and save for analysis, but who does this on a home network?

  Three backups (one sync'd; second, detached storage [backed up every several days]; & tertiary detached storage [backed up +several more days] offers some insurance.

 

 

Link to comment
Share on other sites


17 hours ago, jabrwky said:

Sonicwall, Snort, pcap software like Wireshark can reveal DNS spoofs & malicious traffic and save for analysis, but who does this on a home network?

  Three backups (one sync'd; second, detached storage [backed up every several days]; & tertiary detached storage [backed up +several more days] offers some insurance.

 

 

This is the best prevention. As I say, I learned it the hard way.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...