Home Malware Programs Ransomware PyCL Ransomware

PyCL Ransomware

Posted: March 29, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 82
First Seen: March 29, 2017
OS(es) Affected: Windows

The PyCL Ransomware is a Python script-based Trojan that can encrypt your files to prevent other programs from opening them, as well as lock your screen. This threat's lock-screen pop-up delivers extortionist messages for data retrieval, although malware experts warn that the ransom doesn't need to be paid to restore your local content. Use dedicated anti-malware applications to uninstall the PyCL Ransomware after you circumvent its message window.

The Extortion Delivered by a Serpent's Bite

Perhaps thanks to its small size and overall portability, Python is growing in popularity for Trojan families specializing in harmful encryption. The PyCL Ransomware is a new example of just such a threat, competing against similar threats like the HolyCrypt Ransomware, the PyL33T Ransomware and the Pickles Ransomware. Like many of the latest Trojans in March, the PyCL Ransomware's installation is courtesy of the RIG Exploit Kit, a bundle of scripts that analyzes a Web surfer's PC for vulnerabilities that it can use to launch non-consensual downloads.

Although the PyCL Ransomware's installation comes through EKs on hacked websites, its threat actors appear to be in the testing phases of their campaign and only have distributed the PyCL Ransomware for one day at a time. The PyCL Ransomware also includes a feature, or rather, the omission of one, that shows that it most likely isn't finished: the fact that it fails to delete the same files that it encrypts.

In other respects, malware researchers find the PyCL Ransomware very similar to other, recent file encryptors. The Trojan uses an AES encryption to encode your data and locks the key to the first attack with an RSA algorithm. The PyCL Ransomware also deletes SVC or the Shadow Copy data, which Windows could use to restore your content from a default backup. Finally, it deploys a borderless message box with its message for ransoming your files: a cost in Bitcoins that should be paid within four days.

Escaping the Coils of Another File-Constricting Predator

The PyCL Ransomware is being sold or rented to third parties under the traditional RaaS model almost certainly, which lets the original author skim a percentage of the ransoming profits while doing none of the work that accompanies distribution or targeted attacks. If its early phases are any indication, the PyCL Ransomware will continue as a centerpiece of drive-by-download attacks that may endanger any Web surfers with blindly enabled scripts and outdated software.

Currently, there's no need to pay the ransom to recover any files that the PyCL Ransomware tries to lock. Reboot your PC through Safe Mode or an emergency recovery device to avoid loading the PyCL Ransomware's lock-screen. Since the Trojan doesn't delete the original versions of the encrypted media, no other steps are necessary beyond quarantining or deleting the PyCL Ransomware with a suitable anti-malware product. Optionally, you may wish to reserve some encrypted content for analysis by interested security researchers.

The PyCL Ransomware is a warning sign of attacks to come that will omit the oversights in current versions of this threat. Its extensive network communications also imply that the original threat actors are observing the analytic data of these attacks, and PC users without backups should take heed.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



f89cd790ea52c857918dde0fa634a8e1b780f28b381325174e2a9c2d64194892.exe File name: f89cd790ea52c857918dde0fa634a8e1b780f28b381325174e2a9c2d64194892.exe
Size: 1.81 MB (1810263 bytes)
MD5: d911b8312d5d2eaf86c03856c7b657d7
Detection count: 64
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
f28abe9533f44db0487e79d78eb67ed70b1a62c8ddb6444567eff40abf83577a.exe File name: f28abe9533f44db0487e79d78eb67ed70b1a62c8ddb6444567eff40abf83577a.exe
Size: 3.25 MB (3257195 bytes)
MD5: e4ce87a7829d11dc397d797fa675996c
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
f241f35bb0f53a1baf0e5da26ef7bb86f3de83e94f3ccab04086b26f2f95dde5.exe File name: f241f35bb0f53a1baf0e5da26ef7bb86f3de83e94f3ccab04086b26f2f95dde5.exe
Size: 5.62 MB (5625699 bytes)
MD5: 2f03bf90f0b0ffbe9240782090aa9038
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
e38098502de083f7a5dbb7aefdc5732259f7718e69c03f52a5e968bc29fbb73e.exe File name: e38098502de083f7a5dbb7aefdc5732259f7718e69c03f52a5e968bc29fbb73e.exe
Size: 3.06 MB (3066531 bytes)
MD5: 074b1d5e99a6873102aefac4e434ace5
Detection count: 61
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
d58eb7b4b78db2d11f2a4288245a448a923ce30ebb5894f63cce2743e865bc49.exe File name: d58eb7b4b78db2d11f2a4288245a448a923ce30ebb5894f63cce2743e865bc49.exe
Size: 5.13 MB (5137770 bytes)
MD5: 4e3aa8a35f0027bbecf6eb8f5f161b26
Detection count: 60
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
a0b1f5ab11a8250d7102bcab07f6dc770c0ca7cea9730028028dba0fbfad1210.exe File name: a0b1f5ab11a8250d7102bcab07f6dc770c0ca7cea9730028028dba0fbfad1210.exe
Size: 5.62 MB (5625831 bytes)
MD5: 2509eae5750dbdec6430aafb651d0c68
Detection count: 56
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
80d402f38ff9849ea5e9f8a126e00f423ca1b4f1121c8059aebed8336bfc6f30.exe File name: 80d402f38ff9849ea5e9f8a126e00f423ca1b4f1121c8059aebed8336bfc6f30.exe
Size: 5.62 MB (5625739 bytes)
MD5: 0b71016ac598c45e8a2a219eba903ec8
Detection count: 55
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
7d73a025b377e1e4cecd5af82c51e7540685a3d6766de0af92de0f624d743b1c.exe File name: 7d73a025b377e1e4cecd5af82c51e7540685a3d6766de0af92de0f624d743b1c.exe
Size: 5.62 MB (5625700 bytes)
MD5: 8e82cfea40df9deb97b9a001f75244bf
Detection count: 54
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
7b38e33eb641a40aaa33a5a195547c45b76569c2730f84a8c96ac03e11bee500.exe File name: 7b38e33eb641a40aaa33a5a195547c45b76569c2730f84a8c96ac03e11bee500.exe
Size: 1.88 MB (1887686 bytes)
MD5: d79b9f680c9ac58c7bc2e821048ac632
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
6cd37a120fbb8c675853f2d2ea7a905883e30a3b1185d5ce86af8b0a0e4d5cac.exe File name: 6cd37a120fbb8c675853f2d2ea7a905883e30a3b1185d5ce86af8b0a0e4d5cac.exe
Size: 2.14 MB (2143300 bytes)
MD5: 9970db10dfd35bf4df2e999d5d63a4c7
Detection count: 52
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
654e7aad3fff9000d96f5eba702ca02e900f80038316326dc6e18d2e04cb04da.exe File name: 654e7aad3fff9000d96f5eba702ca02e900f80038316326dc6e18d2e04cb04da.exe
Size: 5.62 MB (5625737 bytes)
MD5: c2a4224455de94a9e90966d8725fdf61
Detection count: 51
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
5809efb0d04a736ea6243ff7fbde9bda9fd45f9bbabfedaf471e275f8e4d1cc3.exe File name: 5809efb0d04a736ea6243ff7fbde9bda9fd45f9bbabfedaf471e275f8e4d1cc3.exe
Size: 2.91 MB (2915491 bytes)
MD5: 13ad144fe1b79bd3d87f5baa3e016ec5
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
1a83c155c8adfebc874a197bfb52d78f6aa367095b03409b228bce91e9d344da.exe File name: 1a83c155c8adfebc874a197bfb52d78f6aa367095b03409b228bce91e9d344da.exe
Size: 1.73 MB (1739372 bytes)
MD5: 01cc60cef0b287d5ae2a2f0b7719a14a
Detection count: 46
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017

Related Posts

Loading...