This decryptor is intended to decrypt the files for those victims affected by the ransomware PyLocky.
This decryptor is built to be executed on Windows systems only and it does require a PCAP of the outbound connection attempt to the C&C servers. This connection is seen seconds after the infection occurs and it will contain, among other info, the Initialization Vector (IV) and a password (both generated randomly at runtime) used to encrypt the files. Without this PCAP containing these values, the decryption won't be possible.
The structure of the outbound connection contains an string like:
PCNAME=NAME&IV=KXyiJnifKQQ%3D%0A&GC=VGA+3D&PASSWORD=CVxAfel9ojCYJ9So&CPU=Intel%28R%29+Xeon%28R%29+CPU+E5-1660+v4+%40+3.20GHz&LANG=en_US&INSERT=1&UID=XXXXXXXXXXXXXXXX&RAM=4&OSV=10.0.16299+16299&MAC=00%3A00%3A00%3A00%3A45%3A6B&OS=Microsoft+Windows+10+Pro
The above string is contained in a POST request and is required to be inside an HTTP session saved in the PCAP passed as an argument to this decryptor.
- Windows OS (infected machine)
- WinPcap (Download it here: https://www.winpcap.org/install/default.htm)
- PCAP file with IV and password generated at ransomware's runtime
usage: pylocky_decryptor.exe [-h] [-p pylocky.pcap] [-r] [-d]
PyLocky decryptor
optional arguments:
-h, --help show this help message and exit
-p pylocky.pcap, --pcap pylocky.pcap Provide PyLocky C&C pcap
-r, --remove Remove encrypted files
-d, --debug Debug this program
- Clone or download this repository to your computer (remember should be a PyLocky infected windows machine)
- Open a terminal: Start-> Run-> Type
cmd
and hit Enter - In the command prompt, navigate to the folder location where the decryptor was downloaded (as in step 1), e.g:
cd C:\Users\User\Desktop\pylocky_decryptor
- Specify the PCAP file with the
-p
(or--pcap
) switch:pylocky_decryptor.exe -p pylocky.pcap
- Wait for the decryptor to complete the decryption process and verify the usability of your files and system
If the program is enabled with debug output you will be able to see with detail how the PCAP file is being read, extracted both the IV and password and then what file is the decryptor reading, decrypting and restoring:
C:\Users\User\Desktop>pylocky_decryptor.exe -p pylock-fix.pcap -d -r
reading from file pylock-fix.pcap, link-type EN10MB (Ethernet)
Password to decrypt with: CVxAfel9ojCYJ9So
IV (base64 decoded) to decrypt with: )|ó&xƒ)�
Opening fname: C:\Users\User\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.lockedfile
Closed fname: C:\Users\User\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.lockedfile
Before getting decryptor
...
Before decrypting data
Opening fname_w_e: C:\Users\User\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20180914\MicrosoftEdgeFavoritesBackup.html
Closed fname_w_e: C:\Users\User\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20180914\MicrosoftEdgeFavoritesBackup.html
File processed correctly: C:\Users\User\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20180914\MicrosoftEdgeFavoritesBackup.html.lockedfile
File removed correctly: C:\Users\User\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20180914\MicrosoftEdgeFavoritesBackup.html.lockedfile
Decryption complete! Please verify the content of your files and system
Also, if the remove flag was used along with the debugging flag, you will see a message like:
File removed correctly: C:\Users\User\Desktop\Tor Browser\Browser\browser\VisualElements\VisualElements_150.png.lockedfile
If there are no files with the .lockedfile
extension OR all the files have been decrypted correctly and removed in a previous run, you'll simply get the following message:
No files with the ".lockedfile" extension were found. Please check again
If you need to modify the source code of the decryptor, you can do it using Python 2.7 and then use PyInstaller
on Windows OS which can be installed using the auto-py-to-exe module. This module is a GUI that converts the Python script into a fully working exe file in a very easy way.
You can also use the command prompt, once you have auto-py-to-exe
installed, with the following syntax:
C:\Users\User\Desktop>pyinstaller -y -F pylocky_decryptor.py
Note: if by any chance you get an import error stating: "No module named Queue" then just simply add --hidden-import=Queue
to the pyinstaller arguments and the exe file should be generated correctly. You can find the exe file in a dist
folder in the location you are currently working and with the same of the python script but with the exe
extension.
During the development and testing of this decryptor it has been tested the succesfull recovery of 3 infected systems (with their corresponding PCAP file) and the only small issue found has been with very large files (more than 4 Gb) not able to be decrypted.
This tool is intended to be used in a live infected system, since it will loop over all the hard drives installed in the system and search for all the files containing the PyLocky encryption extension.
The debugging switch -d
or --debug
might provide a very verbose output but can be useful to understand what the decryptor is doing and any potential issues found. Is recommended to use it the first time the decryptor is executed.
Last but not least, using the switch -r
or --remove
will remove the copy of the encrypted files. Doing so will help to clean a bit the infection leftovers in the system however, if something goes wrong during the process and a file wasn't decrypted properly AND this option is enabled, the encrypted file will be deleted and then there will be no way to recover the content. Please be careful and use this option after an initial first recovery of the files, then in a second time running the decryptor there will be less the likelihood of losing the content. Cisco won't be responsible for a misuse of this tool.