March 29, 2017
This past Saturday security researchers Kafeine, MalwareHunterteam, BroadAnalysis, and David Martínez discovered a new ransomware being distributed through EITest into the RIG exploit kit. As this ransomware was only distributed for one day and does not securely encrypt files, it makes me believe that this may have been a test distribution run.
While the colors and interface used by this ransomware have a striking resemblance to CTB-Locker/Critroni, it is written in a different language and there are no distinguishing strings in the ransom notes or executables. Since it's programmed in Python and the script is called cl.py, I will be referring to it as PyCL in this article.
PyCL Distributed through EITest and the RIG Exploit Kit
Starting on Saturday, numerous researchers noticed that EITest was pushing visitors to the RIG exploit kit, which was distributing this new PyCL ransomware. This was done through hacked sites that redirected the visitor to RIG, which would then try and exploit vulnerabilities on the computer in order to install the ransomware.
Fiddler Capture of EITest
According to Kafeine, EITest was distributing both Cerber and PyCL at the same time. The PyCL distribution, though, only lasted for that one day.
Could PyCL be Part of a RaaS?
One of the files contained in the NSIS installer is a file called user.txt. This file contains the string xkwctmmh, which is sent to the Command & Control server during every request. Furthermore, this same string was also used when David Martínez tested the ransomware.
To me this indicates that this ransomware may be part of an upcoming RaaS, or Ransomware as a Service, where the username is the affiliate identifier.
How the PyCL Ransomware Encrypts a Computer
The PyCL Ransomware is distributed as an NSIS installer that contains a Python package that is used to encrypt a computer and a tutorial on how to pay the ransom. PyCL also communicates back to the Command & Control server at each stage of the process in order to provide debugging/status information to the developer. A full list of network requests can be found at the end of the article.
When the PyCL installer is executed, the tutorial files will be extracted to the %AppData\Roaming\How_Decrypt_My_Files\ folder and the Python components will be extracted to the %AppData%\cl folder.
The installer will then connect to the Command & Control server at 22.214.171.124/status/?status=IS&u=xkwctmmh&sub=1 followed by the launching of the %AppData%\cl\cl.exe executable. CL.exe is actually a Python script compiled into an executable, which will begin to encrypt the computer.
PyCL will first check if the user has administrative privileges, and if they do, will delete the shadow volume copies on the computer using the command:
It then connects to the C2 server again and sends a POST request to http://126.96.36.199/init/. This POST request will send the victims Windows version, whether the victim has administrative privileges, the screen resolution, processor architecture, computer name, user name, and the mac address of the primary network adapter.
The C2 server will respond with a public RSA-2048 public encryption key, a bitcoin payment address, the ransom amount in bitcoins, and the ransom amount in USD. This information is then saved into the files public_key.txt, btc_address.txt, btc_price.txt, and usd_price.txt in the %AppData%\cl folder.
PyCL will now generate a list of files to encrypt and store this list in the %AppData%\cl\filelist.txt. When generating the list it will skip files located in the following folders:
It will then encrypt every file in this list with a unique AES-256 encryption key for each file. The list of files and their respective decryption key is then saved in a random named file in the CL folder. This file is then encrypted using the RSA-2048 public encryption key that was previously received from the C2 server.
At this time, due to the way the ransomware is coded, the original files are not deleted! So while an encrypted copy of your files is created, you still have access to the original unencrypted files.
When completed, it will create a link on the desktop called How Decrypt My Files.lnk that opens the %AppData%\Roaming\How_Decrypt_My_Files\index.html file. This file contains a tutorial on how to pay the ransom and get the files back. A small portion of this ransom note can be seen below. The full version can be viewed here.
Portion of the Ransom Note
PyCL will now execute the UI.exe executable, which will display the lock screen shown below.
PyCL Lock Screen
This lock screen will contain a 4 day timer, your bitcoin address, and the ransom amount. If you click on the Proceed to Payment button, it will open the ransom note from the C2 server. While running, this lock screen will intermittently check the C2 server to see if a payment has been made to your bitcoin address. If a payment has been made, it will automatically decrypt the files on the computer.
Since this ransomware does not currently delete the original files, those who are infected do not have to worry about losing their files. If this changes, though, the ransomware will be further analyzed for weakness that can be exploited to decrypt files for free.
Files associated with the PyCL Ransomware:
Registry entries associated with the PyCL Ransomware:
Hashes of Main Components:
PyCL Lock Screen Text: