VERY IMPORTANT

n late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware. Although it tries to pass off as Locky in its ransom note, PyLocky is unrelated to Locky. PyLocky is written in Python, a popular scripting language; and packaged with PyInstaller, a tool used to package Python-based programs as standalone executables. Ransomware written in Python isn’t new — we’ve already seen CryPy (RANSOM_CRYPY.A) in 2016, and Pyl33t (RANSOM_CRYPPYT.A) in 2017 — but PyLocky features anti-machine learning capability, which makes it notable. Through the combined use of Inno Setup Installer (an open-source script-based installer) and PyInstaller, it posed a challenge to static analysis methods, including machine learning-based solutions — something we have already seen variants of Cerber do (although Cerber used NullSoft installer).