CryptoLuck Ransomware spread through the RIG-E Exploit Kit

CryptoLuck ransomware is a new strain of malware discovered by the researcher Kafeine, that is being distributed via the RIG-E exploit kit.

The notorious researcher Kafeine has spotted a new strain of ransomware dubbed CryptoLuck. The malware leverages DLL hijacking and exploits the legitimate GoogleUpdate.exe executable to infect computers.

The ransomware appends the .[victim_id]_luck extension to the encrypted files, it is able to lock hundreds of file extensions. It skips files that contain specific strings: Windows, Program Files, Program Files (x86), ProgramData, AppData, Application Data, Temporary Internet Files, Temp, Games, nvidia, intel, $Recycle.Bin, and Cookies.

The malware asks victims to pay a 2.1 Bitcoin (around $1,500) ransom within 72 hours in order to rescue the encrypted files.

The CryptoLuck ransomware is delivered through the RIG-Empire (RIG-E) exploit kit. Crooks leverages malvertising campaigns through adult websites, but likely they will adopt other infection vectors.

The ransomware is spread using a RAR SFX file which contains the crp.cfg, GoogleUpdate.exe, and goopdata.dll files, along with instructions to extract these into the %AppData%\76ff folder and to silently execute GoogleUpdate.exe.

The advantage for abusing the GoogleUpdate.exe is that is a legitimate Google program that is signed by Google.

The authors of the CryptoLuck ransomware have included a malicious goopdate.dll file in the package for the legitimate program to load into memory.

“When the GoogleUpdate.exe program is run, it will look for a DLL file called goopdate.dll file and load it. The problem is that it will first look for this file in the same folder that the GoogleUpdate.exe resides in. This allows a malware developer to create their own malicious goopdate.dll file and have it loaded by GoogleUpdate.” reads the analysis published by Lawrence Abrams from the BleepingComputer.com.

The CryptoLuck ransomware implements mechanisms to avoid analysis from security firms. It is able to determine if it is running in a virtual machine, and in this case, it halts itself. Once executed it scans all mounted drives and unmapped network shares for files to encrypt.

The ransomware uses an AES-256 encryption with a unique AES encryption key for each of file to encrypt. The key is encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.

When the ransomware has completed the encryption of the files, it displays a ransom note that contains the instructions for the payment of the ransom.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CryptoLuck ransomware , cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.