PyCL Ransomware

A new ransomware has been identified by security researchers. PyCL has recently been added to an already over-saturated ransomware market.

Threat ID:: CC-1311
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 6 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new ransomware has been identified by security researchers. PyCL has recently been added to an already over-saturated ransomware market.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All Versions

Threat details

The new ransomware is delivered by the RIG EK (Exploit Kit) as part of the ElTest campaign. PyCL is distributed as a NSIS (Nullsoft Scriptable Install System) installer which contains a Python package used to encrypt files and tutorial explaining how to pay the ransom.

Similar to other ransomware families, PyCL will check for administrative privileges and if found, deletes all volume shadow copies. This means all backup created by the operating system (snapshots) will be removed.

The authors are demanding a payment of .25 BTC (Bitcoin) within four days of initial infection before user files are permanently deleted. At the time of publication there is no decryption service available.

Remediation steps

Type	Step
	As with all forms of zero day malware the first line of defence against new variants of ransomware is user awareness and safe working practices. To avoid becoming infected with ransomware, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege. Your organisation adopts a holistic all round approach to Cyber Security as advocated by the “10 Steps To Cyber Security”. To limit the damage of ransomware and enable recovery: All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware. Multiple backups should be created including at least one off-network backup (e.g. to tape).

Type

Step

As with all forms of zero day malware the first line of defence against new variants of ransomware is user awareness and safe working practices.

To avoid becoming infected with ransomware, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
Your organisation adopts a holistic all round approach to Cyber Security as advocated by the “10 Steps To Cyber Security”.

To limit the damage of ransomware and enable recovery:

All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.

Multiple backups should be created including at least one off-network backup (e.g. to tape).

Last edited: 17 February 2020 11:37 am