The Daily Decrypt
The Daily Decrypt
Open Source Tool Defeats Ransomware, StackOverflow users push malicious Python packages, Are you in the 911 S5 botnet?

In today’s episode, we explore how cybercriminals exploited StackOverflow to promote the malicious Python package “pytoileur” aimed at cryptocurrency theft ( We also examine the FBI’s takedown of the 911 S5 botnet and its massive impact on online fraud and cybercrime ( Lastly, we introduce RansomLord, an open-source anti-ransomware tool that leverages DLL hijacking to block ransomware attacks pre-encryption (

FBI Botnet:

00:00 Introduction to Ransomware Defense

01:12 Ransom Lord: A Game Changer

03:55 How to Check for Botnet Infections

06:47 Malicious Python Package Alert

09:19 Conclusion and Final Thoughts


Cybercriminals, Python Package Index, pytoileur, cryptocurrency theft, malicious packages, StackOverflow, open source security, botnet, VPN, YunHe Wang, 911 S5, cybersecurity, RansomLord, exploits, vulnerabilities, ransomware protection

Search Phrases:

  1. Cybercriminal infiltration of Python Package Index
  2. pytoileur malicious package on StackOverflow
  3. Cryptocurrency theft using pytoileur
  4. How to protect against malicious Python packages
  5. Largest botnet disguised as VPN service
  6. Arrest of YunHe Wang for cybercrime
  7. 911 S5 botnet detection methods
  8. Protecting computers from 911 S5 botnet
  9. RansomLord tool against ransomware
  10. Ransomware vulnerabilities exploited by RansomLord


There is a new proof of concept. Open source tool called ransom Lord.

attacks, the malware that launches ransomware.

In order to defeat it before it can encrypt your files.

I’m a little blown away by this one, but we’ll get to that in a sec. How can ransom Lord change the game for ransomware defenders? And what tactics does it use to defeat ransomware?

The largest botnet ever operating under the guise of free VPN services. Has been dismantled with the arrest of its alleged mastermind for orchestrating cyber crimes, totalling billions of dollars in fraudulent losses. How can you check if your computer is part of the nine 11 s5 botnet and what steps can you take to protect yourself in the future?

The Python package index has been infiltrated with a malicious package named PI told earlier. Which has now found to facilitate cryptocurrency theft by leveraging reputable platforms, such as stack overflow. What measures can developers take to protect themselves from being deceived by malicious packages?

Like this one.

You’re listening to the daily decrypt. .

Alright. So as defenders, we are constantly thinking about how to defeat ransomware. But I haven’t seen much come out other than detection capabilities. So we’re still focused on detecting.

Indicators of compromise that might lead to ransomware.

But just yesterday health net security released an article on an open source. Anti ransomware tool that essentially attacks the ransomware malware Using DLL hijacking.

and automates the creation of PE files. Which are used to exploit.

Ransomware before it can encrypt your files.. So even the thought of this type of defense makes me so excited.

The idea that there can be more than just detecting indicators of compromise for ransomware prevention. When we can actually go in and attack the ransomware itself.

And get rid of it before it even has the opportunity to encrypt your files.

It’s a breath of fresh air.


This tool, which is free and open source and available on get hub. The link is in the show notes below. Deploys exploits in order to defend the network. Which is a novel strategy for defeating ransomware.

It also uses vulnerability intelligence.

That maps, threats to vulnerable DLLs.

In order to target specific threats that you may believe may target your organization or industry.

This tool in its current state has been shown to be effective.

To defend against 49 ransomware families, including.


Loki locker.

And many more. It can also target Trojans and info Steelers.

The author of this tool writes.

I created ransom Lord to demonstrate that ransomware is not invincible. And that it has vulnerabilities and its developers make mistakes and can write bad code, just like anyone else.. And I love this framing of ransomware itself being vulnerable to exploits. Because it’s essentially just software on your computer and. It has vulnerabilities of its own..

And even though this is technically just a proof of concept, it is effective against current versions of these ransomware tools, though, the developers of these tools will likely patch. And it’ll be a continuous cat and mouse game, but imagine if there was an entire company with thousands of employees.

Whose sole purpose was to maintain the software to defeat ransomware strains. Any time a ransomware was successful.

They would ship that source code off to this company and that company would analyze it and create the exploits for the vulnerabilities found in that ransomware file.

I personally don’t have enough time to handle this type of company and start it myself. But if you’re listening and you’re an entrepreneur in the cybersecurity space, I highly encourage you to get going and seek some investing and figure this company out, make it happen.

So there was a giant botnet, potentially one of the biggest botnets of all time named 9 1 1 S five. Botnet. That has been masquerading around as a free VPN service.

Well just recently authorities have arrested. And Hey Wang at 35 year old, Chinese national behind this entire botnet. They’ve also seized the 9 1 1 S five website and its infrastructure.

This specific botnet has facilitated billions of dollars in online fraud and cyber crime.

To include over 560,000 fraudulent unemployment claims. Causing a $5.9 billion loss.

This botnet spanned more than 19 million computers across 190 countries. And.

was responsible for enabling cybercriminals to route malicious traffic.

Through any of those 19 million computers.

Which of course allowed them to remain anonymous while they continued to partake in their cyber criminal activities.

This bot net company or. Individual also sold access to compromised PCs.

Within the botnet because they.

Also provided a free VPN service..

And for those of you who might not know the intricacies of how a VPN works. At a high level, essentially, it’s just a pathway or a tunnel. To access a network that you’re not physically in.

So for example, I have a VPN set up at my house. Anytime I’m out at a coffee shop. I access that VPN. Which essentially gives me access to all the devices in my house.

So this bot net.

Infected computers through the guise of a free VPN service.

Installing and signing up for this free VPN service.

Not only put your computer in part of this botnet, but gave. The botnet operators access to your computer.

So, how can you check if your computer is infected by this botnet? Well, first of all, have you downloaded any free VPN services?

In the last few years, if you can’t remember. The FBI.

Has created a webpage to help identify compromise systems.

Which essentially just gives you steps to check if your computer has been infected such as checking for the running services. Such as mask VPN, do VPN proxy, gate shield, VPN shine, VPN and pallet and VPN. It gives you the step-by-step on how to do that on your own computer.

It then gives you the steps you’ll need to follow, to remove. The malicious free VPN service. And then also to confirm that that service has been removed.

If you. We’re compromised by this botnet. Please go check out the link.

To the FBI site at the end, they’re trying to collect a little bit of data to see what your experience was so that they can help.

Detect and prevent this type of thing from happening again.

And finally there has been a new malicious Python package. Found in the Python package index.

This package is named PI Toya. It looks a little French. P Y T O Y L E U R. And it was designed to facilitate cryptocurrency theft.

This package had only 316 downloads before the Python package index removed it. But. The developer of this package quickly uploaded a new version with the identical malicious functionality. So it will continue to go back and forth.

And what’s interesting about this is that. This package is being promoted by. Users. Across stack overflow. Which is a very popular.

Platform where developers turn to get their questions answered.

Or to provide tips for other developers to follow. So if you go on there and you are seeking. A specific package that might do something. Another stack overflow user can then suggest this malicious package. And maybe in turn, they will be rewarded or something like that. So,

It seems like the whole internet at this point is a SEO. Competition doing what you can to get your search results up.

And as a developer myself, I know the influence that stack overflow has on many developers.

If you’re a contributor to stack overflow, you have so much sway, especially if the questions you’re answering are common questions, which often involve Python packages or Python coding. Tactics. You have a lot of influence on that platform. So, yeah, it makes sense that malicious actors would go on there. And maybe they buy a reputable stack overflow account for a lot of money. And then use it to promote malicious tools and packages.

If you are a developer and you are out there looking for new packages to use for your organization. Especially for your organization, make sure you check out the documentation, check out the website, look for anything fishy in the metadata of that package. And look for. Reviews from verified developers.

And trust me.

I know the temptation as a developer, especially for personal projects at home to just get the job done as quickly as you can. If you find a stack overflow post. That might work. You tend to just copy the code, copy the imports, try it out. And see if it works, because at that point you’re essentially just.

Troubleshooting. In production, right. You’re seeing if that code will work on your, on your little personal projects. So.

No, that some of those Python packages can install malicious malware on your computer and be used to hijack your cryptocurrency.

This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don’t forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.