Cisco security company Talos has released a free decryption tool for Windows users concerned with the PyLocky ransomware, but it will not work for everyone.
PyLocky is an imitation of the famous "Locky" ransomware, except that it is written in a programming language called Python. The ransomware tries to imitate other families of ransomware.
Although ransomware is a threat to those infected with it, decryption tools can often reverse the damage. In the case of PyLocky, Cisco Talos has managed to create a decryption tool, but the problem is serious.
The tool will only work for those who have successfully captured a PCAP from the outbound connection attempt on the ransomware command and control servers, a connection that occurs a few seconds after the infection.
In short, the PyLocky ransomware decoder will only work on machines with network traffic monitoring capabilities.
According to Cisco Talos, PyLocky generates a random user ID and password when it is executed. It also collects information about the infected machine using WMI wrappers.
"After getting the absolute path of each file in the system, the malicious program calls the encryption algorithm and passes the IV and password."
Each file is first encoded in base64 before encrypting it. The malware adds the ".lockedfile" extension to each file it encrypts, for example, the "picture.jpg" file would become "picture.jpg.lockedfile".
Each file is overwritten by a rescue request.
For victims who use network monitoring software, they simply download the decryptor to their infected computer, download WinPcap, specify the PCAP file with IV and password, and wait for the decryptor to do his job. . The company said that during the test phase, the decipherer was able to recover three infected systems. However, very large files of 4 GB or more may not be decrypted.
The company claims that the decryptor is designed for use on Windows systems and assumes no responsibility for the misuse of this tool.
"Talos encourages users never to pay the ransom requested by the attacker, which rarely results in the recovery of encrypted files.The victims of this ransomware should instead restore from backup copies if their files can not be decrypted. In June 2017, Talos repeatedly observed that assailants demanding ransom have no way of contacting victims to provide them with a decryptor, "said Cisco Talos.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.