Ransomware campaign targets businesses with fake invoice message

Locky ransomware was once of the most prolific forms of ransomware - a new 'PyLocky' ransomware campaign by attempting to piggyback on its past success.
Written by Danny Palmer, Senior Writer

A concentrated spam campaign pushing ransomware is targeting businesses in Europe, encrypting files and demanding victims pay a ransom in order to retrieve them.

Dubbed PyLocky by researchers, the malware claims to be Locky, but it's totally unrelated to what was one of the most prolific ransomware families of last year.

The new ransomware, which first appeared in July by researchers at Trend Micro shows that the ransomware is focused on targets in Europe, with France a particular target for the malware - by late August, almost two thirds of PyLocky spam was being sent to victims in France, along with a number sent to addresses associated with the New Calendoa, a French territory in the South Pacific.

Germany initially bore the brunt of the campaign, accounting for over half of targets at the beginning of August, but by the end of the month accounted for just over a quarter of the spam emails sent out.

Those behind the campaign have prepared for PyLocky to target victims in different countries, with the ransom note available in English, French and other languages including Italian and Korean - indicating that attacks against other regions are potentially planned.

See also: What is ransomware? Everything you need to know about one of the biggest menaces on the web

Like many malware campaigns, the attacks begin with phishing emails designed to trick the victim into running a malicious payload. In this instance, message subject lines are focused around invoices and encourages the user to click on a link which drives them towards a URL used to deliver PyLocky.

The malicious URL contains a ZIP file which when run drops several C++ and Python libraries malware components along with the main ransomware executable 'lockyfud.exe' which is created using PyInstaller, a legitimate tool used to bundle Python applications into stand-alone executables.

In order to avoid detection by sandbox security software, the malware will sleep for 999.999 seconds -- just over 11 and a half days - if the affected system's total visible memory size is less than 4GB.

Once a machine has been encrypted, PyLocker will display a ransom note claiming to be Locky ransomware and demands a ransom paid in cryptocurrency in order to "restore" the files - users are told that if they don't pay, the ransom will double every 96 hours in what's an effort to scare the victim into paying up sooner rather than later.


Pylocky claims to be Locky ransomware.

Image: Trend Micro

The original Locky was one of the most prolific forms of ransomware of 2017, but it disappeared towards the end of the year and hasn't re-surfaced since. It's likely that the attackers behind PyLocky are trying to trade off the name of a notorious form of malware in an effort to make a quick buck for themselves.

While Locky has disappeared and some cyber criminals have dropped ransomware in favour of other malicious campaigns, the file-locking malware still remains a threat to organisations - especially when those organisations are specially targeted.


Editorial standards