The new ransomware, which first appeared in July by researchers at Trend Micro shows that the ransomware is focused on targets in Europe, with France a particular target for the malware - by late August, almost two thirds of PyLocky spam was being sent to victims in France, along with a number sent to addresses associated with the New Calendoa, a French territory in the South Pacific.
Germany initially bore the brunt of the campaign, accounting for over half of targets at the beginning of August, but by the end of the month accounted for just over a quarter of the spam emails sent out.
Those behind the campaign have prepared for PyLocky to target victims in different countries, with the ransom note available in English, French and other languages including Italian and Korean - indicating that attacks against other regions are potentially planned.
Like many malware campaigns, the attacks begin with phishing emails designed to trick the victim into running a malicious payload. In this instance, message subject lines are focused around invoices and encourages the user to click on a link which drives them towards a URL used to deliver PyLocky.
The malicious URL contains a ZIP file which when run drops several C++ and Python libraries malware components along with the main ransomware executable 'lockyfud.exe' which is created using PyInstaller, a legitimate tool used to bundle Python applications into stand-alone executables.
In order to avoid detection by sandbox security software, the malware will sleep for 999.999 seconds -- just over 11 and a half days - if the affected system's total visible memory size is less than 4GB.
Once a machine has been encrypted, PyLocker will display a ransom note claiming to be Locky ransomware and demands a ransom paid in cryptocurrency in order to "restore" the files - users are told that if they don't pay, the ransom will double every 96 hours in what's an effort to scare the victim into paying up sooner rather than later.
The original Locky was one of the most prolific forms of ransomware of 2017, but it disappeared towards the end of the year and hasn't re-surfaced since. It's likely that the attackers behind PyLocky are trying to trade off the name of a notorious form of malware in an effort to make a quick buck for themselves.