Dubbed CryptoLuck, the new ransomware variant was discovered by “Kafeine”, a Proofpoint researcher and maintainer of the Malware don’t need Coffee blog. Noteworthy about the malware is that it abuses the legitimate GoogleUpdate.exe executable and leverages DLL hijacking to infect computers, in addition to asking for a 2.1 Bitcoin (around $1,500) ransom to be paid within 72 hours.
The new threat is being distributed through the RIG-Empire (RIG-E) exploit kit, a toolkit that emerged last month. The distribution campaign leverages malvertising and is targeting the visitors of adult websites, it seems. However, it could also start spreading through compromised sites and other vectors.
The ransomware spreads in the form of a RAR SFX file which contains the crp.cfg, GoogleUpdate.exe, and goopdata.dll files, along with instructions to extract these into the %AppData%\76ff folder and to silently execute GoogleUpdate.exe. Because the executable automatically looks in its folder for a DLL file to load, the malware authors have included a malicious goopdate.dll file in the package for the legitimate program to load into memory.
The ransomware was observed performing a series of checks to determine if it is running in a virtual machine and terminates itself if that is the case. Otherwise, the malware scans all mounted drives and unmapped network shares for files that it can encrypt.
The malware uses AES-256 encryption and generates a unique AES encryption key for each of discovered files. This key is encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.
The ransomware appends the .[victim_id]_luck extension to the encrypted files and security researchers say that the threat targets a couple of hundreds of file extensions to encrypt. However, the malware skips files that contain specific strings: Windows, Program Files, Program Files (x86), ProgramData, AppData, Application Data, Temporary Internet Files, Temp, Games, nvidia, intel, $Recycle.Bin, and Cookies.
As soon as the encryption process has been completed, the malware displays a ransom note which provides users with detailed instructions on how to download the decryptor and make the ransom payment.
A Decryption Wizard walks the victims through making the payment and also waits for the operation to be completed, after which it informs the victim that the affected files will be automatically decrypted.