The French Ministry of Interior has released a decryption utility for versions 1 and 2 of PyLocky ransomware to the public.
On 11 June, the ministry of the French government unveiled the tool as the product of collaboration between its various agencies, including the Brigade d’enquêtes sur les fraudes aux technologies de l’information (BEFTI) of the Direction régionale de la police judiciaire de Paris, and volunteer security researchers. Together, these parties gathered various technical elements from their investigations into the ransomware and provided them to the Service des technologies et des systèmes d’information de la sécurité intérieure ST(SI)², part of the Gendarmerie nationale. This entity was ultimately responsible for creating the decryption tool.
According to a statement published by the French Ministry of Interior, there are a few restrictions pertaining to the utility. For example, a computer must be running Microsoft Windows 7 or higher as well as the execution environment Java Runtime Environnement version 8 to run the solution. The government ministry also explains that the decryptor works against version 1 (encrypted files bearing the extension .lockedfile or .lockymap) and version 2 (encrypted files bearing the extension .locky) of PyLocky but might not be effective against more recent versions of the ransomware:
This program is made available for free « as it is », without any technical support nor explicit or implicit warranty. Its authors can’t be held in any way responsible of any damage that might be caused by the use of the tool. Others versions of PyLocky might have been created, regarding which this program may be ineffective.
This isn’t the first time the security community has seen a decryptor come out for PyLocky, a Python-based threat known for imitating the infamous Locky ransomware. Back in January 2019, a researcher created his own free decryption tool for victims of the ransomware family.
Users can download the French Ministry of the Interior’s PyLocky decryption tool and its documentation here. They can also find other ransomware decryptors at Nomoreransom.org.