Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //


09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

PyLocky Ransomware Can Get Around Machine Learning Solutions

The PyLocky ransomware, detected by Trend Micro, puts a focus on the ongoing machine learning race between cybersecurity experts and bad actors.

Ransomware may not be as high profile as it was last year in the wake of WannaCry and other campaigns, but threat actors continue to improve on the malware. A recent example is PyLocky, a ransomware that is designed to look like the well-known Locky malware and to evade detection by security solutions that employ machine-learning capabilities.

Researchers at Trend Micro detected PyLocky email campaigns in July and August targeting victims in European countries, particularly France, though there are indications that the ransomware could also be deployed in Italy and South Korea.

The ransomware, written in the Python programming language, is the latest example of bad actors improving on the malware through more sophisticated methods of avoiding security tools and by imitating established ransomware families.

A broad array of cybersecurity firms have noted that the ransomware push reached its apex last year after the well-known WannaCry attacks and other high-profile campaigns, such as Petya and SamSam, but has since been overtaken in popularity among bad actors by such efforts as malware designed to steal compute power to illegally mine cryptocurrencies like Bitcoin and Monero. (See Cryptomining Malware, Cryptojacking Remain Top Security Threats.)

(Source:  Trend Micro)
(Source: Trend Micro)

However, the trend didn't mean ransomware went away.

Ransomware is still with us
Trend Micro analysts found a 3% increase in ransomware activity in the first half of 2018, though a 26% decrease in the number of new ransomware families when compared with the same time last year. Detection by cybersecurity tools have improved over the past year, but there are still organizations that have yet to deploy them, which means there is still money to be made in ransomware, even if there isn't the kind of innovation that was seen earlier in 2017. (See Trend Micro: Cryptomining, Data Breaches Highlight Busy 1H 2018.)

"As long as people and businesses don't patch vulnerabilities and better sanitize what comes through email, the bad actors don't need to innovate much," Greg Young, vice president of cybersecurity Trend Micro, told Security Now in an email. "We seem to be in a phase between when ransomware drove working solutions and when the problem is recognized enough to more widely deploy those solutions. Backup, patching, and web/email/endpoint scanning are the trinity of anti-ransomware, yet we see businesses and individuals still not doing these. So as long as most current ransomware continues to make them money, the bad guys aren't under much pressure to significantly innovate. It's more like small feature updates than a new X.0 release."

In the case of PyLocky, a notable feature is its ability to evade detection by security solutions that use machine learning. It uses a combination of the open source script-based Inno Setup Installer and PyInstaller -- a tool for packaging Python-based programs as standalone executables -- to evade static analysis methods like machine learning-based solutions. Similar features have been see in variants of Cerber, though that ransomware used the NullSoft installer, Trend Micro researchers wrote in a blog post. (See Artificial Malevolence: Bad Actors Know Computer Science, Too.)

Young said the avoidance methods used by the PyLocky authors aren't advanced, but they are noteworthy.

"Malware writers are now starting to recognize that machine learning is a new enemy for them and are specifically trying to evade it," he said. "It must be costing them money because they're taking the time to try and avoid it. We're definitely going to see two new things in 2019: the good guys having to step up machine learning defenses another notch, and more malware designed to try and outsmart machine learning. The message is that companies and people need to make sure their current security is advancing with this machine learning arms race and determine if they need to look at new defenses."

PyLocky attacks growing
Trend Micro researchers found that the PyLocky email campaigns started off small, but the volume and scope has increased. The initial spam emails were designed with socially-engineered subject lines related to such topics as invoice to lure victims to clink on a link. Doing so redirects the users to a malicious URL that contains the PyLocky malware. The malware components include several libraries written in C++ and Python and the Python 2.7 Core DLL as well as a main ransomware executable, according to the analysts.

PyLocky will encrypt a hardcoded list of file extensions. It also leverages the Windows Management Instrumentation (WMI) to investigate the properties of the infected systems. To avoid sandboxes, the malware will sleep for more than 11.5 days if the system's total visible memory is less than 4GB. If its 4GB or more, the file encryption route will execute. After the encryption, the ransomware will connect with the control-and-command server.

The ransom notes are not only in English and French, but also Italian and Korean, and look as though they are from the Locky ransomware.

"PyLocky's evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defense in depth," the researchers wrote. "For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today's threats, there are different vectors at the attackers' disposal, which makes a multi-layered approach to security important."

To push back at ransomware, organizations to ensure that files are backed up, systems updated and patched, and multi-layered security solutions deployed, Young said.

"Next, PyLocky starts with phishing to trick people into clicking on attachments, and then abuses tools specifically for administrators so the message is correct," Young wrote. "System security configurations need to be in those gold images and maintained post-deployment. Education is a part of this, but one of my current soapboxes is not blaming and shaming: you're tired, jet-lagged, or busy and every one of us has clicked on an attachment we're unsure of. Education needs to be focused on providing blame-free-help, even if you've done something risky or are only a little suspicious. Five minutes of help desk time could save your company, so we need to start moving cultures, not putting up more posters."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.