Victims of the PyLocky Ransomware can use a tool released by security researcher Mike Bautista at Cisco Talos group to decrypt their files for free.

I have good and bad news for the victims of the PyLocky Ransomware. The good news is that security researcher Mike Bautista at Cisco Talos group released a decryption tool that allows them to decrypt their files for free.

PyLocky Ransomware Decryption Tool Released — Unlock Files For Free

I have good and bad news for the victims of the PyLocky Ransomware. The good news is that security researcher Mike Bautista at Cisco Talos group released a decryption tool that allows them to decrypt their files for free.

The bad is that the recovery of the file is not simple because the decryptor works only if the victims have captured the initial network traffic (PCAP file) between the PyLocky ransomware and the C2 infrastructure.

In this phase, the ransomware sends to the command and control server information on the encryption process, including a string that contains the Initialization Vector (IV) and a random password used by the ransomware to encrypt the files.

“To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored.” reads the post published by Talos.

“If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process “

Each file is encoded in base64 format and then the ransomware uses randomly generated Initialization Vector (IV) and password to encrypt all the files on an infected system.

PyLocky was first spotted by Trend Micro in July 2018, it is written in Python and it is packaged with the PyInstaller tool that is normally used to freeze Python programs into stand-alone executables.

The ransomware was distributed via spam emails most of which targeted European countries, particularly France.



PyLocky stands out for its anti-machine learning capability, it also leverages the open-source script-based Inno Setup Installer.

To avoid analysis tools, such as sandboxes, the maòicious code sleeps for 999,999 seconds, roughly around 11.5 days, if the total visible memory of the infected system is less than 4GB.

The encryption routines are implemented using the PyCrypto library and leverage the 3DES (Triple DES) cipher. PyLocky enumerated logical drives of the hot and generates a list of files that it uses to overwrites each file in the list with an encrypted version.

At the end of the process, the ransomware drops a ransom note that could be in English, French, Korean, or Italian, a circumstance that suggests possible targets of the operators behind the threat.

The malware attempts to masquerade as a Locky variant displaying a ransom note claiming to be a variant of the dreaded ransomware.

The experts published by PyLocky ransomware decryption tool on GitHub.

Pierluigi Paganini

(SecurityAffairs – PyLocky, decryptor tool)

Share this...

Linkedin Reddit Pinterest

Share On