French authorities released the PyLocky decryptor for versions 1 and 2

0
49

Good news for the victims of the pyLocky Ransomware versions 1 and 2, French authorities have released the pyLocky decryptor to decrypt the files for free.

French authorities have released a decryptor for pyLocky Ransomware versions 1 and 2. The decryptor allows victims to decrypt their files for free. It was developed in collaboration between French law enforcement, the French Homeland Security Information Technology, and Systems Service, along with independent and volunteer researchers.

“PyLocky is very active in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home. This tool is a result of a collaborative Among the agencies of the french Ministry of Interior, Including the first Brigade of fraud investigations in information technology  (BEFTI) of the Regional Directorate of the Judicial Police of Paris , on the of technical elements gathered during its investigations and collaboration with volunteer researchers.” reads the post published by the French Ministry of Interior states it is more active in Europe.

“Those elements allowed the Homeland Security Information Technology and Systems Service ST (SI) ², part of the National Gendarmerie , to create that software.”

French Ministry of Interior pointed out that the ransomware hit many people in Europe, especially SMBs, large businesses, associations.

The pyLocky decryptor allows to decrypt file for version 1 (filenames having the .lockedfile or .lockymap extensions) and version 2 ( extensions .locky).

The pyLocky Decryptor could be downloaded from the following link:

https://www.cybermalveillance.gouv.fr/wp-content/uploads/2019/02/PyLocky_Decryptor_V1_V2.zip

The decryptor has as pre-requisite the installation of the Java Runtime.

“This software decrypts the encryption of files with the extension .lockedfile or .lockymap and version 2 (encrypted files with the .locky extension) of PyLocky.” continues the report. “It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environment) version 8.”

The malware researcher Michael Gillespie analyzed the decryptor and noticed the presence of 2 hardcoded private RSA keys that were likely obtained by French police from the access to the C2 server hosted on the Tor network.

Let me remind you that the decryptor doesn’t clean the infected systems.

Pierluigi Paganini