Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //


09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

PyLocky Ransomware Can Get Around Machine Learning Solutions

The PyLocky ransomware, detected by Trend Micro, puts a focus on the ongoing machine learning race between cybersecurity experts and bad actors.

Ransomware may not be as high profile as it was last year in the wake of WannaCry and other campaigns, but threat actors continue to improve on the malware. A recent example is PyLocky, a ransomware that is designed to look like the well-known Locky malware and to evade detection by security solutions that employ machine-learning capabilities.

Researchers at Trend Micro detected PyLocky email campaigns in July and August targeting victims in European countries, particularly France, though there are indications that the ransomware could also be deployed in Italy and South Korea.

The ransomware, written in the Python programming language, is the latest example of bad actors improving on the malware through more sophisticated methods of avoiding security tools and by imitating established ransomware families.

A broad array of cybersecurity firms have noted that the ransomware push reached its apex last year after the well-known WannaCry attacks and other high-profile campaigns, such as Petya and SamSam, but has since been overtaken in popularity among bad actors by such efforts as malware designed to steal compute power to illegally mine cryptocurrencies like Bitcoin and Monero. (See Cryptomining Malware, Cryptojacking Remain Top Security Threats.)

However, the trend didn't mean ransomware went away.

Ransomware is still with us
Trend Micro analysts found a 3% increase in ransomware activity in the first half of 2018, though a 26% decrease in the number of new ransomware families when compared with the same time last year. Detection by cybersecurity tools have improved over the past year, but there are still organizations that have yet to deploy them, which means there is still money to be made in ransomware, even if there isn't the kind of innovation that was seen earlier in 2017. (See Trend Micro: Cryptomining, Data Breaches Highlight Busy 1H 2018.)

"As long as people and businesses don't patch vulnerabilities and better sanitize what comes through email, the bad actors don't need to innovate much," Greg Young, vice president of cybersecurity Trend Micro, told Security Now in an email. "We seem to be in a phase between when ransomware drove working solutions and when the problem is recognized enough to more widely deploy those solutions. Backup, patching, and web/email/endpoint scanning are the trinity of anti-ransomware, yet we see businesses and individuals still not doing these. So as long as most current ransomware continues to make them money, the bad guys aren't under much pressure to significantly innovate. It's more like small feature updates than a new X.0 release."

In the case of PyLocky, a notable feature is its ability to evade detection by security solutions that use machine learning. It uses a combination of the open source script-based Inno Setup Installer and PyInstaller -- a tool for packaging Python-based programs as standalone executables -- to evade static analysis methods like machine learning-based solutions. Similar features have been see in variants of Cerber, though that ransomware used the NullSoft installer, Trend Micro researchers wrote in a blog post. (See Artificial Malevolence: Bad Actors Know Computer Science, Too.)

Young said the avoidance methods used by the PyLocky authors aren't advanced, but they are noteworthy.

"Malware writers are now starting to recognize that machine learning is a new enemy for them and are specifically trying to evade it," he said. "It must be costing them money because they're taking the time to try and avoid it. We're definitely going to see two new things in 2019: the good guys having to step up machine learning defenses another notch, and more malware designed to try and outsmart machine learning. The message is that companies and people need to make sure their current security is advancing with this machine learning arms race and determine if they need to look at new defenses."

PyLocky attacks growing
Trend Micro researchers found that the PyLocky email campaigns started off small, but the volume and scope has increased. The initial spam emails were designed with socially-engineered subject lines related to such topics as invoice to lure victims to clink on a link. Doing so redirects the users to a malicious URL that contains the PyLocky malware. The malware components include several libraries written in C++ and Python and the Python 2.7 Core DLL as well as a main ransomware executable, according to the analysts.

PyLocky will encrypt a hardcoded list of file extensions. It also leverages the Windows Management Instrumentation (WMI) to investigate the properties of the infected systems. To avoid sandboxes, the malware will sleep for more than 11.5 days if the system's total visible memory is less than 4GB. If its 4GB or more, the file encryption route will execute. After the encryption, the ransomware will connect with the control-and-command server.

The ransom notes are not only in English and French, but also Italian and Korean, and look as though they are from the Locky ransomware.

"PyLocky's evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defense in depth," the researchers wrote. "For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today's threats, there are different vectors at the attackers' disposal, which makes a multi-layered approach to security important."

To push back at ransomware, organizations to ensure that files are backed up, systems updated and patched, and multi-layered security solutions deployed, Young said.

"Next, PyLocky starts with phishing to trick people into clicking on attachments, and then abuses tools specifically for administrators so the message is correct," Young wrote. "System security configurations need to be in those gold images and maintained post-deployment. Education is a part of this, but one of my current soapboxes is not blaming and shaming: you're tired, jet-lagged, or busy and every one of us has clicked on an attachment we're unsure of. Education needs to be focused on providing blame-free-help, even if you've done something risky or are only a little suspicious. Five minutes of help desk time could save your company, so we need to start moving cultures, not putting up more posters."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.