Recently, Cisco has launched the PyLocky decryptor (https://github.com/Cisco-Talos/pylocky_decryptor), which searches through the PCAP to decrypt files on the system. PyLocky sends a single POST request to the control server containing the following parameters:

PCNAME=NAME&IV=KXyiJnifKQQ%3D%0A&GC=VGA+3D&PASSWORD=CVxAfel9ojCYJ9So&CPU=Intel%28R%29+Xeon%28R%29+CPU+E5-1660+v4+%40+3.20GHz&LANG=en_US&INSERT=1&UID=XXXXXXXXXXXXXXXX&RAM=4&OSV=10.0.16299+16299&MAC=00%3A00%3A00%3A00%3A45%3A6B&OS=Microsoft+Windows+10+Pro 

We can see that we have iv, the initialization vector, and password as the parameters. In case the network was being logged at the time of the system infection, we could use this information to decrypt the files with ease. Let's look at PyLocky's code for decryption, as follows:

We can see that PyLocky decryptor makes use of IV and passwords to decrypt the files encrypted with the PyLocky ransomware, and generally, this way works for a number of ransomware types out there. PyLocky makes use of DES3 to encrypt the files that can be decrypted back.