CryptoLuck ransomware is a new strain of malware discovered by the researcher Kafeine, that is being distributed via the RIG-E exploit kit.
The notorious researcher Kafeine has spotted a new strain of ransomware dubbed CryptoLuck. The malware leverages DLL hijacking and exploits the legitimate GoogleUpdate.exe executable to infect computers.
The ransomware appends the .[victim_id]_luck extension to the encrypted files, it is able to lock hundreds of file extensions. It skips files that contain specific strings: Windows, Program Files, Program Files (x86), ProgramData, AppData, Application Data, Temporary Internet Files, Temp, Games, nvidia, intel, $Recycle.Bin, and Cookies.
The malware asks victims to pay a 2.1 Bitcoin (around $1,500) ransom within 72 hours in order to rescue the encrypted files.
The CryptoLuck ransomware is delivered through the RIG-Empire (RIG-E) exploit kit. Crooks leverages malvertising campaigns through adult websites, but likely they will adopt other infection vectors.
The ransomware is spread using a RAR SFX file which contains the crp.cfg, GoogleUpdate.exe, and goopdata.dll files, along with instructions to extract these into the %AppData%\76ff folder and to silently execute GoogleUpdate.exe.
The advantage for abusing the GoogleUpdate.exe is that is a legitimate Google program that is signed by Google.
The authors of the CryptoLuck ransomware have included a malicious goopdate.dll file in the package for the legitimate program to load into memory.
“When the GoogleUpdate.exe program is run, it will look for a DLL file called goopdate.dll file and load it. The problem is that it will first look for this file in the same folder that the GoogleUpdate.exe resides in. This allows a malware developer to create their own malicious goopdate.dll file and have it loaded by GoogleUpdate.” reads the analysis published by Lawrence Abrams from the BleepingComputer.com.
The CryptoLuck ransomware implements mechanisms to avoid analysis from security firms. It is able to determine if it is running in a virtual machine, and in this case, it halts itself. Once executed it scans all mounted drives and unmapped network shares for files to encrypt.
The ransomware uses an AES-256 encryption with a unique AES encryption key for each of file to encrypt. The key is encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.
When the ransomware has completed the encryption of the files, it displays a ransom note that contains the instructions for the payment of the ransom.