Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //


// // //
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

PyLocky Ransomware Can Get Around Machine Learning Solutions

The PyLocky ransomware, detected by Trend Micro, puts a focus on the ongoing machine learning race between cybersecurity experts and bad actors.

Ransomware may not be as high profile as it was last year in the wake of WannaCry and other campaigns, but threat actors continue to improve on the malware. A recent example is PyLocky, a ransomware that is designed to look like the well-known Locky malware and to evade detection by security solutions that employ machine-learning capabilities.

Researchers at Trend Micro detected PyLocky email campaigns in July and August targeting victims in European countries, particularly France, though there are indications that the ransomware could also be deployed in Italy and South Korea.

The ransomware, written in the Python programming language, is the latest example of bad actors improving on the malware through more sophisticated methods of avoiding security tools and by imitating established ransomware families.

A broad array of cybersecurity firms have noted that the ransomware push reached its apex last year after the well-known WannaCry attacks and other high-profile campaigns, such as Petya and SamSam, but has since been overtaken in popularity among bad actors by such efforts as malware designed to steal compute power to illegally mine cryptocurrencies like Bitcoin and Monero. (See Cryptomining Malware, Cryptojacking Remain Top Security Threats.)

(Source:  Trend Micro)
(Source: Trend Micro)

However, the trend didn't mean ransomware went away.

Ransomware is still with us
Trend Micro analysts found a 3% increase in ransomware activity in the first half of 2018, though a 26% decrease in the number of new ransomware families when compared with the same time last year. Detection by cybersecurity tools have improved over the past year, but there are still organizations that have yet to deploy them, which means there is still money to be made in ransomware, even if there isn't the kind of innovation that was seen earlier in 2017. (See Trend Micro: Cryptomining, Data Breaches Highlight Busy 1H 2018.)

"As long as people and businesses don't patch vulnerabilities and better sanitize what comes through email, the bad actors don't need to innovate much," Greg Young, vice president of cybersecurity Trend Micro, told Security Now in an email. "We seem to be in a phase between when ransomware drove working solutions and when the problem is recognized enough to more widely deploy those solutions. Backup, patching, and web/email/endpoint scanning are the trinity of anti-ransomware, yet we see businesses and individuals still not doing these. So as long as most current ransomware continues to make them money, the bad guys aren't under much pressure to significantly innovate. It's more like small feature updates than a new X.0 release."

In the case of PyLocky, a notable feature is its ability to evade detection by security solutions that use machine learning. It uses a combination of the open source script-based Inno Setup Installer and PyInstaller -- a tool for packaging Python-based programs as standalone executables -- to evade static analysis methods like machine learning-based solutions. Similar features have been see in variants of Cerber, though that ransomware used the NullSoft installer, Trend Micro researchers wrote in a blog post. (See Artificial Malevolence: Bad Actors Know Computer Science, Too.)

Young said the avoidance methods used by the PyLocky authors aren't advanced, but they are noteworthy.

"Malware writers are now starting to recognize that machine learning is a new enemy for them and are specifically trying to evade it," he said. "It must be costing them money because they're taking the time to try and avoid it. We're definitely going to see two new things in 2019: the good guys having to step up machine learning defenses another notch, and more malware designed to try and outsmart machine learning. The message is that companies and people need to make sure their current security is advancing with this machine learning arms race and determine if they need to look at new defenses."

PyLocky attacks growing
Trend Micro researchers found that the PyLocky email campaigns started off small, but the volume and scope has increased. The initial spam emails were designed with socially-engineered subject lines related to such topics as invoice to lure victims to clink on a link. Doing so redirects the users to a malicious URL that contains the PyLocky malware. The malware components include several libraries written in C++ and Python and the Python 2.7 Core DLL as well as a main ransomware executable, according to the analysts.

PyLocky will encrypt a hardcoded list of file extensions. It also leverages the Windows Management Instrumentation (WMI) to investigate the properties of the infected systems. To avoid sandboxes, the malware will sleep for more than 11.5 days if the system's total visible memory is less than 4GB. If its 4GB or more, the file encryption route will execute. After the encryption, the ransomware will connect with the control-and-command server.

The ransom notes are not only in English and French, but also Italian and Korean, and look as though they are from the Locky ransomware.

"PyLocky's evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defense in depth," the researchers wrote. "For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today's threats, there are different vectors at the attackers' disposal, which makes a multi-layered approach to security important."

To push back at ransomware, organizations to ensure that files are backed up, systems updated and patched, and multi-layered security solutions deployed, Young said.

"Next, PyLocky starts with phishing to trick people into clicking on attachments, and then abuses tools specifically for administrators so the message is correct," Young wrote. "System security configurations need to be in those gold images and maintained post-deployment. Education is a part of this, but one of my current soapboxes is not blaming and shaming: you're tired, jet-lagged, or busy and every one of us has clicked on an attachment we're unsure of. Education needs to be focused on providing blame-free-help, even if you've done something risky or are only a little suspicious. Five minutes of help desk time could save your company, so we need to start moving cultures, not putting up more posters."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-04
A vulnerability classified as problematic was found in NREL api-umbrella-web 0.7.1. This vulnerability affects unknown code of the component Flash Message Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.8.0 is able to address this...
PUBLISHED: 2023-02-04
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3...
PUBLISHED: 2023-02-04
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
PUBLISHED: 2023-02-04
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recom...