PyCL targets Windows OS and is distributed via an EITest Flash-based redirection that leads to the RIG EK. The security researchers who discovered this variant observed that it was only distributed for one day and noted that it does not securely encrypt files, leading them to believe that this indicated a "test-run" conducted by the malware authors. PyCL is written in the Python programming language and when its installer is executed, it extracts tutorial files to the %AppData\Roaming\How_Decrypt_My_Files folder. It also extracts Python components to the %AppData%\cl folder. PyCL then establishes a connection to its C2 server and subsequently launches cl.exe, a Python script compiled into an executable, which begins to encrypt the files on the infected system. It checks for administrative privileges on the user account and, if available, it proceeds to delete the Shadow Volume Copies using vssadmin.exe to prevent file restoration by the victim. PyCL then contacts its C2 server again to transmit details of the infected system such as the Windows OS version, user name and the availability of administrative privileges on the associated account, screen resolution, processor architecture, and the network adapter's MAC address. The C2 server transmits a public RSA-2048 encryption key, a bitcoin wallet address for payment, and the requested ransom amount listed in both Bitcoin and US dollars. The files containing this information, public_key.txt, btc_address.txt, btc_price.txt, and usd_price.txt, are also saved in the %AppData%\cl folder that PyCL created. It also creates and stores a list of targeted files named filelist.txt. PyCL encrypts each file in the list with a unique AES-256 encryption key and drops a link to the ransom note on the desktop named How Decrypt My Files.lnk. The note threatens the permanent loss of files after four days through a countdown timer on the ransom note; however, this current sample of PyCL does not actually delete the original unencrypted files after the encryption process, providing victims with a way to recover their data without paying the ransom.

UPDATE 4/14/2017: A new version is distributed via malicious Word documents and appends .crypted to encrypted file names.

  • Bleeping Computer provides more information about PyCL here.
  • The NJCCIC is not currently aware of any free decryption tools available for PyCL, although in its current form, victims do have the ability to recover their files for free.

Image Source: Bleeping Computer