Jump to content
Sign in to follow this  
The AchieVer

PyLocky Ransomware Decryption Tool Released — Unlock Files For Free

Recommended Posts

The AchieVer

PyLocky Ransomware Decryption Tool Released — Unlock Files For Free

 
 
PyLocky free ransomware decryptor
If your computer has been infected with PyLocky Ransomware and you are searching for a free ransomware decryption tool to unlock or decrypt your files—your search might end here.

Security researcher Mike Bautista at Cisco's Talos cyber intelligence unit have released a free decryption tool that makes it possible for victims infected with the PyLocky ransomware to unlock their encrypted files for free without paying any ransom.

The decryption tool works for everyone, but it has a huge limitation—to successfully recover your files, you must have captured the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server, which generally nobody purposely does.

This is because the outbound connection—when the ransomware communicates with its C2 server and submit decryption key related information—contains a string that includes both Initialization Vector (IV) and a password, which the ransomware generates randomly to encrypt the files.
 
"If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process," the researcher explain.

First spotted by researchers at Trend Micro in July last year, PyLocky ransomware found spreading through spam emails, like most malware campaigns, designed to trick victims into running the malicious PyLocky payload.
pylocky ransomware note
To avoid detection by sandbox security software, the PyLocky ransomware sleeps for 999.999 seconds—or just over 11 and a half days—if the affected system's total visible memory size is less than 4GB. The file encryption process only executes if it is greater than or equal to 4GB.

Written in python and packaged with PyInstaller, PyLocky ransomware first converts each file into the base64 format and then uses randomly generated Initialization Vector (IV) and password to encrypt all the files on an infected computer.
 


Once a computer is encrypted, PyLocky displays a ransom note claiming to be a variant of the well-known Locky ransomwareand demands a ransom in cryptocurrency to "restore" the files.

The note also claims to double the ransom every 96 hours if they don't pay to scare victims into paying up the ransom sooner rather than later.

PyLocky primarily targeted businesses in Europe, particularly in France, though the ransom notes were written in English, French, Korean, and Italian, which suggested that it may also have targeted Korean- and Italian-speaking users.

You can download the PyLocky ransomware decryption tool from GitHub for free and run it on your infected Windows computer.

Though ransomware may not be as high profile as the LockyWannaCryNotPetya, and LeakerLocker widespread 2017 ransomware attacks, both individuals and enterprises are strongly recommended to follow below-mentioned prevention measures to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system up-to-date: Always keep your antivirus software and systems updated to protect against latest threats. 

 

 

Source

Share this post


Link to post
Share on other sites
vitorio

This is one of the best news for everybody. It is a petty that it appears after I got all my files and backup encrypted last month.

I learned the hard way that the best prevention is as written above:

 

Beware of Phishing emails: Always be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.
 

 

 

Edited by vitorio

Share this post


Link to post
Share on other sites
jabrwky

Please explain procedure for capture. Wireshark capturing all traffic?

1 hour ago, The AchieVer said:

The decryption tool works for everyone, but it has a huge limitation—to successfully recover your files, you must have captured the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server, which generally nobody purposely does.

 

Edited by jabrwky

Share this post


Link to post
Share on other sites
The AchieVer
10 minutes ago, jabrwky said:

Please explain procedure for capture. Wireshark capturing all traffic?

 

In this phase, the ransomware sends to the command and control server information on the encryption process, including a string that contains the Initialization Vector (IV) and a random password used by the ransomware to encrypt the files.

Share this post


Link to post
Share on other sites
jabrwky

For those who do not understand how...

1 hour ago, The AchieVer said:

the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server

Precisely when and how is this captured?

Edited by jabrwky

Share this post


Link to post
Share on other sites
The AchieVer

Unfortunately, I do not possess that expertise.

 

kindly refer to:

 

https://security.stackexchange.com/questions/177787/detecting-c2-traffic-over-dns

 

The simplest way is to avoid opening any unknown links.

 

Regards

Share this post


Link to post
Share on other sites
jabrwky
10 minutes ago, The AchieVer said:

"The simplest way is to avoid opening any unknown links."  -- Yes.

Sonicwall, Snort, pcap software like Wireshark can reveal DNS spoofs & malicious traffic and save for analysis, but who does this on a home network?

  Three backups (one sync'd; second, detached storage [backed up every several days]; & tertiary detached storage [backed up +several more days] offers some insurance.

 

 

Share this post


Link to post
Share on other sites
vitorio
17 hours ago, jabrwky said:

Sonicwall, Snort, pcap software like Wireshark can reveal DNS spoofs & malicious traffic and save for analysis, but who does this on a home network?

  Three backups (one sync'd; second, detached storage [backed up every several days]; & tertiary detached storage [backed up +several more days] offers some insurance.

 

 

This is the best prevention. As I say, I learned it the hard way.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...