A new ransomware family was recently spotted in the wild. The virus, written in Python, comes in a script titled cl.py. PyCL ransomware is spread via the RIG exploit kit (EK). This EK has been one of the most common distributors for ransomware infections in recent months.
PyCL was spotted in a wave of the EITest campaign from this past Sunday. This campaign exploits corrupted websites to redirect visitors to the RIG EK. RIG looks for vulnerabilities in the targeted system to further exploit.
The ransomware is packed in a Nullsoft Scriptable Install System (NSIS) installer. The file contains two components. First, there is a Python package which performs the encryption. The other file is a tutorial on how to make the payment.
PyCL communicates with a command and control (C&C) server during every stage of the encryption process. This is done to give the owners of the malware information about debugging and updates on the status of the encryption.
An intriguing find is a file called user.txt which was discovered in the installer. The file contains a string which gets sent to the C&C server during every request. This trait is characteristic of RaaS (ransomware-as-a-service) programs. There is no evidence to prove that PyCL is such a tool. If this assumption happens to be true, the user name would be the affiliate identifier.
PyCL ransomware was only a part of the EITest campaign last Sunday. This has lead researchers to believe that the initial attack wave was unleashed to test the infection. Perhaps the results will tell if any improvements or modifications are due.
The current state of PyCL ransomware
The trial revealed that PyCL has a good set of functions. Upon entering a device, the ransomware checks whether it has administrative privileges. If it does, the program deletes the shadow volume copies of the user’s files.
The next step is to gather details about the targeted computer. The virus identifies the version of the operating system (OS). It records details like the administrative privileges, the computer’s name, the user name of the machine’s owner, the screen resolution, the processor architecture, and the MAC address of the primary network adapter. The gathered input is sent to the C&C server.
PyCL generates a unique encryption key for each targeted file. The ransomware locks files using the AES-256 algorithm. The virus stores the list of encrypted objects and their decryption keys in a file titled random. This file is saved to the CL folder and encrypted with a public key, generated with the use of RSA-2048 cryptography.
The final step is to display a lock screen, containing a 4-day timer, a Bitcoin wallet address, and the amount of the ransom.
PyCL seems incomplete because it does not replace the original files with their encrypted versions. Rather, the ransomware leaves them on the hard drive. Your files will still be accessible after the encryption has been finished. This is expected to change when the program is completed.
