PyLocky: how French investigators traced Hamza Bendelladj

A fine analysis of the functioning of ransomware, successful judicial requisitions and open source research. According to our information, here is the cocktail of the investigators of the brigade for the fight against cybercrime (BL2C) of the prefecture of police of Paris to trace the hacker Hamza Bendelladj. Nicknamed BX1, the latter found himself at the heart of their investigation into PyLocky, this ransomware discovered in the middle of 2018.

The case must now be judged this Thursday, August 31 by the judicial court of Paris. Unusual detail: the hacker, accused of hacking and trying to extort various French organizations – correctional centers, an association of notaries or a cooperative bank – will be tried by videoconference from his prison. The latter is indeed currently in detention. He had been sentenced in the United States in 2016 to fifteen years in prison for his involvement in the SpyEye banking Trojan. A stay in the shadows that would not have prevented him, according to the prosecution, from launching new malicious campaigns.

about 200 lines of code

So how did this famous hacker end up in the sights of French police officers? Alerted by the first complaints filed in June 2018, the latter first try to lift the hood of PyLocky. This ransomware is quite minimalist, about 200 lines of code in Python, emphasizes a source close to the investigation. Its infrastructure also seems weak, with a lot of amateurism, without a very thorough division of tasks.

The investigators are thus interested in spam campaigns, which should make it possible to spread the ransomware. The police very quickly discover, during the summer, a first clue. The server used for the spam campaigns is in France, at a small hosting company based in Lyon. This is probably to avoid being blacklisted by the antispam services.

Access to a copy of the server, obtained by judicial requisition, makes it possible to dissect the mechanics of sending spam messages. The investigators look in particular at the email addresses corresponding to the test mailings, those that make it possible to see if the messages pass the antispam filters.

Forrest City

While investigating one of them, the investigators stumble upon a certain Butcher. Surprise, he reveals himself after some research to be the brother of a famous hacker detained in Forrest City, in the United States! This location speaks to the investigators. This Arkansas city is already mentioned in the court file, with IP addresses in connection with the attacks located there.

Other email addresses used for these tests allow the investigators to have more context. One, supposed to be used by Boualem’s partner, is a suspicious address, already linked to one of the domain names of the Zeus botnet in a complaint filed by Microsoft in 2012.

Another also makes it possible to make the link with a domain name linked to TinyNuke, this malicious trojan that loads PyLocky on victims. This last program was written by a young Frenchman, Augustin, whose hunt was told by a security analyst.

Private key

Result: at the end of the year 2018, the police are convinced that Hamza Bendelladj is dipping into this story. They will then work to substantiate this lead. They will even manage to find a private key on one of the seized servers. It will allow the development of a decryption software, a first in France.

The rest, however, will be more laborious, with several years necessary to reach a trial. On the one hand, the French are the only ones who are really interested in PyLocky. However, France does not seem to have been particularly targeted. Instead, investigators assume that much of his malicious activity was mistakenly mistaken for Locky’s.

On the other hand, the investigation against Hamza Bendelladj then gets bogged down in the meanders of international cooperation. An illustration: the investigators finally did not make the trip to the United States to interrogate BX1. A hacker who claims his innocence today. ”I have nothing to do” with these computer hacks, Hamza Bendelladj defended himself last May, during his first appearance before French judges.