Decryption tool for the ransomware PyLocky versions 1 and 2
June 2019 by Marc Jacob
The french Ministry of Interior makes today available to the public a free decryption tool of the ransomware PyLocky, allowing the victims to recover their files. This tool is made available on the national plateform Cybermalveillance.gouv.fr, of which the Ministry of Interior is a founding member.
PyLocky is a malicious software (commonly called « virus ») within the ransomware category. Its objective is to make the victim’s files inaccessible by encrypting them before asking the victim to pay a ransom in exchange for the key allowing to recover them.
PyLocky usually spreads by email and is activated when a trapped attachment or link is opened.
PyLocky is very active in Europe and there are already many victims in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home.
This tool is a result of a collaboration among the agencies of the french Ministry of Interior, including first the Brigade d’enquêtes sur les fraudes aux technologies de l’information (BEFTI) of the Direction régionale de la police judiciaire de Paris, on the basis of technical elements gathered during its investigations and the collaboration with volunteer researchers. Those elements allowed the Service des technologies et des systèmes d’information de la sécurité intérieure ST(SI)², part of the Gendarmerie nationale, to create that software.
This software allows for the decryption of the encrypted files with versions 1 (encrypted files with the extension .lockedfile or .lockymap) and version 2 (encrypted files with the extension .locky) of PyLocky. It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environnement) version 8.
This program is made available for free « as it is », without any technical support nor explicit or implicit warranty. Its authors can’t be held in any way responsible of any damage that might be caused by the use of the tool. Others versions of PyLocky might have been created, regarding which this program may be ineffective.
Please note that the decryption of the files doesn’t clean the infected computer of the ransomware. In order to understand ransomware attacks, measures to be taken to prevent them and necessary actions when victim of such malware, please refer to the guidelines (FR) provided by the French national platform of assistance to cyber victims Cybermalveillance.gouv.fr.