PyLocky was first seen in July targeting EUsers in Europe, primarily in France. Towards the end of August, roughly two-thirds of PyLocky’s spam was being sent to users in France, and a number sent to addresses associated with New Caledonia (a French territory that consists of dozens of islands in the South Pacific). In the first stages of the campaign, Germany accounted for just over half of the targets but it was reduced to just over a quarter of the targets towards the end of August. The attackers behind PyLocky seem to be prepared to target victims in different countries. Their ransom note has been seen in different languages such as English, French, Italian, and Korean. The attack begins with a phishing email, which is focused on invoices. The victim is asked to click a link which will take them to the URL that is used to deliver PyLocky. According to researchers, “The malicious URL contains a ZIP file which when run drops several C++ and Python libraries malware components along with the main ransomware executable ‘lockyfud.exe’ which is created using PyInstaller, a legitimate tool used to bundle Python applications into stand-alone executables.” The ransomware will remain dormant for just over 11 ½ days to avoid sandbox detection if the system’s total visible memory size is less than 4GB. Once the machine is infected, PyLocker’s ransom note will be displayed, claiming to be Locky ransomware. The victim is also told that if they don’t pay the desired ransom, the ransom will double every 96 hours.
