- Cisco gives away a PyLocky ransomware decryptor for free, but the requirements to run it are not for everyone.
- PyLocky remains a hard nut to crack, as even Cisco’s decrypting tool may fail on large or complex files.
- The company also plugged 18 vulnerabilities, some of them being critical DoS-inducing security gaps.
Cisco Systems, the networking software and hardware expert, has just released a free PyLocky decryptor that will help those who have fallen victims of the particular ransomware to break the chains. PyLocky is an unusually persistent malware that has infected many Europe-based systems, encrypting files, causing memory corruption problems, and featuring anti-machine learning capabilities that make it hard to detect and analyze.
Cisco’s decrypting tool requires the capturing of the initial PyLocky communication with the malware server, so as to extract the encryption key. This means that the only machines that can benefit from the decryptor are those that have had their network traffic monitored when infected. The encryption method is done through a “base 64” encoding, so the ransomware needs a random password and an initialization vector, both of which are provided by the command and control server.
Other requirements to execute the decryptor is to use a Windows operating system, the WinPCAP utility, and the PCAP file with the vector and the password. As the encrypted files have actually replaced the original files in an infected system, the decryptor will try to reverse this process and will report on the usability of the resulting files which may not be perfect on all cases. For example, Cisco’s tests revealed that files that are larger than 4GB could not be decrypted.
On relevant news, Cisco has also patched 18 vulnerabilities on their AsyncOS Software and Cisco Email Security Appliance products. The weaknesses on the former product permitted remote and unauthenticated attackers to formulate denial of service conditions (DoS) on the affected systems. On the Email suite, the most critical vulnerabilities allowed the sending of S/MIME-signed malicious emails caused by a failure in the filtering system due to an improper URL whitelisting functionality. The above affects multiple Cisco products from version 11.1 and older, so patching them results in a widespread fixing. Versions 12.x were found not to contain the aforementioned vulnerabilities, so there is no reason to upgrade if you’re running the latest AsyncOS software. Cisco discovered the vulnerabilities themselves, and their “Product Security Incident Response Team” report no known malicious use so far.