The Proofpoint security researcher and exploit kit expert Kafeine has stumbled across a newly-developed ransomware called CryptoLuck, which is being distributed via the RIG-E (Empire) exploit kit (EK). New pieces of ransomware are not usually seen being spread via exploit kits. CryptoLuck is an example of how particular ransomware infections will be more widely distributed and thus they will target more and more victims.
Also, the way of how CryptoLuck infects its victims is very interesting. It uses DLL hijacking and the legitimate GoogleUpdate.exe executable. Once the victims` files are encrypted, the victim will be given 72 hours deadline to pay the ransom of 2.1 Bitcoin ($1,500 USD).
Moreover, Kafeine added that he had noticed CryptoLuck being spread with the RIG-E EK through malvertising. However, he said he saw this particular sample being advertised in the Adult web site space but this doesn’t mean that it is not being spread through other courses as well. Like compromised websites, for example.
As mentioned above, CryptoLuck installs itself by using the GoogleUpdate.exe program, which is legitimate and code signed from Google, and DLL hijacking. The ransomware is distributed by a RAR SFX file, which includes three other files: crp.cfg, GoogleUpdate.exe, and goopdata.dll. When the GoogleUpdate.exe is executed, it will search for a DLL file named goopdate.dll and run it. However, the first place which the executable looks for this file is the same folder it is in, meaning the crook is able to create their own malicious goopdate.dll for the GoogleUpdate.exe to load. The malware developer had put all of the ransomware code into the fake DLL file and when GoogleUpdate runs it instead of the original one, the ransomware is installed.
Once on the infected system, CryptoLuck will first check if the computer is being run within a virtual machine. If it is, the process will be stopped. If it is not, the ransomware continues operating by performing a scan searching for files with certain extensions.
Emsisoft`s Fabian Wosar explains that the ransomware creates a unique AES encryption key for each targeted file and uses the AES-256 encryption to lock it. CryptoLuck appends the “.[victim_id]_luck” extension at the end of all encrypted data and changes their original name with the victim`s ID. The original name of each encrypted file is then added as an entry under the HKCU\Software\sosad_[victim_idfile]\files key.
After the encryption process is complete, the ransomware creates and drops a ransom note called “%AppData%\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt”. As usual, it contains the instructions on how the victim should make the payment transaction. Also, the victims are shown a Decryption Wizard to walk them through the payment steps and then waits for the ransom to be paid. If it is, the decryptor states it will automatically decrypt the victim’s files.
The bad news is that the CryptoLuck ransomware is currently undecryptable as the ransomware creates a unique AES key for each file and only its author knows the master RSA decryption key.