PyCL Ransomware

Computer users have reported their files becoming inaccessible, and a suspicious message being displayed on their computers. This message reads as follows:

'Your Personal Files Are Encrypted
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
1. Pay amount BTC (about of USD) to address:
2. Transaction will take about 15-30 minutes to confirm.
Decryption will start automatically. Do not: power off computer, run antivirus program, disable internet connection. Failures during key recovery and file decryption may lead to accidental damage on files.
Your files will be lost without payment through:'

This message and the inability to access the files on the infected computer indicate that the PyCL Ransomware has entered the victim's computer. The PyCL Ransomware is being distributed using the RIG Exploit Kit. This recent PyCL Ransomware attack may not be a full-fledged threat campaign, but it may just have been designed to test how to distribute this threat to potential victims. Factors that indicate this include the fact that the threat is not being deployed in its full version, and in the manner in which it is being distributed.

The PyCL Ransomware may be Delivered to Your PC by an EK

PC security researchers are referring to the PyCL Ransomware using this name because the PyCL Ransomware is programmed using Python and is delivered in a script with the file name 'cl.py' to the victims' computers. EITest seems to be used to deliver the PyCL Ransomware to victims through the use of exploits associated with the RIG Exploit Kit. Apparently, con artists have hacked into these websites to redirect computer users to ransomware infections. The PyCL Ransomware was being distributed along with another known ransomware Trojan, named Cerber. However, the PyCL Ransomware distribution was only carried out for one day, indicating that this may be part of a test run. Like other ransomware Trojans, the PyCL Ransomware is designed to encrypt the victims' files and then asks for the payment of a ransom from the victim.

How the PyCL Ransomware Carries out Its Attack

One of the files used in the PyCL Ransomware attack is named 'user.txt,' including the string 'xkwctmmh.' The string is included in every request to the PyCL Ransomware's Command and Control server. It seems likely that the PyCL Ransomware is part of the testing for a RaaS (Ransomware as a Service) platform that is not fully finished yet. These are services that allow con artists to lease the use of a ransomware Trojan, handling all distribution aspects of the infection. It seems that this user name, the string identified in the attack, is meant as the placeholder for the affiliate using the PyCL Ransomware. The PyCL Ransomware is distributed as an NSIS installer that includes the PyCL Ransomware files and a tutorial explaining how to pay the ransom to recover the affected files. The PyCL Ransomware connects to its Command and Control server constantly, providing status and debugging information, which also is an indicator of a ransomware Trojan in development. The PyCL Ransomware uses a strong encryption engine to make the victim's files completely inaccessible, but the current state of the attack seems to vary, as it is apparent that the PyCL Ransomware has not been released in its full form.

The PyCL Ransomware Attack in Its Current State

The PyCL Ransomware displays a four-day timer and the ransom note. The PyCL Ransomware displays a ransom note from its Command and Control server and decrypts the victim's files automatically if a ransom payment is carried out. However, the PyCL Ransomware in its current state does not delete the original files after the encryption, meaning that victims of the PyCL Ransomware attack do not need to fear that they will lose their data currently.

SpyHunter Detects & Remove PyCL Ransomware