PyLocky Ransomware Can Get Around Machine Learning Solutions

Ransomware may not be as high profile as it was last year in the wake of WannaCry and other campaigns, but threat actors continue to improve on the malware. A recent example is PyLocky, a ransomware that is designed to look like the well-known Locky malware and to evade detection by security solutions that employ machine-learning capabilities.

Researchers at Trend Micro detected PyLocky email campaigns in July and August targeting victims in European countries, particularly France, though there are indications that the ransomware could also be deployed in Italy and South Korea.

The ransomware, written in the Python programming language, is the latest example of bad actors improving on the malware through more sophisticated methods of avoiding security tools and by imitating established ransomware families.

A broad array of cybersecurity firms have noted that the ransomware push reached its apex last year after the well-known WannaCry attacks and other high-profile campaigns, such as Petya and SamSam, but has since been overtaken in popularity among bad actors by such efforts as malware designed to steal compute power to illegally mine cryptocurrencies like Bitcoin and Monero. (See Cryptomining Malware, Cryptojacking Remain Top Security Threats.)

(Source: Trend Micro)

However, the trend didn't mean ransomware went away.

Ransomware is still with us
Trend Micro analysts found a 3% increase in ransomware activity in the first half of 2018, though a 26% decrease in the number of new ransomware families when compared with the same time last year. Detection by cybersecurity tools have improved over the past year, but there are still organizations that have yet to deploy them, which means there is still money to be made in ransomware, even if there isn't the kind of innovation that was seen earlier in 2017. (See Trend Micro: Cryptomining, Data Breaches Highlight Busy 1H 2018.)

"As long as people and businesses don't patch vulnerabilities and better sanitize what comes through email, the bad actors don't need to innovate much," Greg Young, vice president of cybersecurity Trend Micro, told Security Now in an email. "We seem to be in a phase between when ransomware drove working solutions and when the problem is recognized enough to more widely deploy those solutions. Backup, patching, and web/email/endpoint scanning are the trinity of anti-ransomware, yet we see businesses and individuals still not doing these. So as long as most current ransomware continues to make them money, the bad guys aren't under much pressure to significantly innovate. It's more like small feature updates than a new X.0 release."

In the case of PyLocky, a notable feature is its ability to evade detection by security solutions that use machine learning. It uses a combination of the open source script-based Inno Setup Installer and PyInstaller -- a tool for packaging Python-based programs as standalone executables -- to evade static analysis methods like machine learning-based solutions. Similar features have been see in variants of Cerber, though that ransomware used the NullSoft installer, Trend Micro researchers wrote in a blog post. (See Artificial Malevolence: Bad Actors Know Computer Science, Too.)

Young said the avoidance methods used by the PyLocky authors aren't advanced, but they are noteworthy.

"Malware writers are now starting to recognize that machine learning is a new enemy for them and are specifically trying to evade it," he said. "It must be costing them money because they're taking the time to try and avoid it. We're definitely going to see two new things in 2019: the good guys having to step up machine learning defenses another notch, and more malware designed to try and outsmart machine learning. The message is that companies and people need to make sure their current security is advancing with this machine learning arms race and determine if they need to look at new defenses."

PyLocky attacks growing
Trend Micro researchers found that the PyLocky email campaigns started off small, but the volume and scope has increased. The initial spam emails were designed with socially-engineered subject lines related to such topics as invoice to lure victims to clink on a link. Doing so redirects the users to a malicious URL that contains the PyLocky malware. The malware components include several libraries written in C++ and Python and the Python 2.7 Core DLL as well as a main ransomware executable, according to the analysts.

PyLocky will encrypt a hardcoded list of file extensions. It also leverages the Windows Management Instrumentation (WMI) to investigate the properties of the infected systems. To avoid sandboxes, the malware will sleep for more than 11.5 days if the system's total visible memory is less than 4GB. If its 4GB or more, the file encryption route will execute. After the encryption, the ransomware will connect with the control-and-command server.

The ransom notes are not only in English and French, but also Italian and Korean, and look as though they are from the Locky ransomware.

"PyLocky's evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defense in depth," the researchers wrote. "For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today's threats, there are different vectors at the attackers' disposal, which makes a multi-layered approach to security important."

To push back at ransomware, organizations to ensure that files are backed up, systems updated and patched, and multi-layered security solutions deployed, Young said.

"Next, PyLocky starts with phishing to trick people into clicking on attachments, and then abuses tools specifically for administrators so the message is correct," Young wrote. "System security configurations need to be in those gold images and maintained post-deployment. Education is a part of this, but one of my current soapboxes is not blaming and shaming: you're tired, jet-lagged, or busy and every one of us has clicked on an attachment we're unsure of. Education needs to be focused on providing blame-free-help, even if you've done something risky or are only a little suspicious. Five minutes of help desk time could save your company, so we need to start moving cultures, not putting up more posters."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.