Home » Cybersecurity » Data Security » Free Decryption Tool Created for PyLocky Ransomware Family

Free Decryption Tool Created for PyLocky Ransomware Family

A researcher has created a free decryption tool which victims of the PyLocky ransomware family can use to recover their affected files.

Mike Bautista, a security researcher at the Cisco Talos Intelligence Group, is responsible for developing the tool. Cisco Talos has made this utility freely available for download on GitHub.

First reported on by Trend Micro in September 2018, PyLocky is a family of crypto-malware known for imitating the infamous Locky ransomware. It’s not related to Locky in any way, however. It just refers to itself as the “Locky Locker” in its ransom note and informs victims that they can obtain the “Locky Decryptor” by meeting their ransom demands.

PyLocky stands out among other ransomware families by being written in Python, featuring anti-machine learning capabilities that make static analysis more difficult and relying on spam campaigns to target users primarily based in France and other European countries.

It’s important to note that Cisco Talos’ decryptor comes with a few restrictions. The tool works on infected Windows machines only, for instance. Also, it tends to have the most success decrypting small files; it doesn’t currently work as well with assets that are over 4 GB in size.

Cisco Talos identifies another condition for its utility in a blog post:

Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored. If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information (Read more...)