New Ransomware Hits Market

Tuesday, November 22, 2016 @ 05:11 PM gHale

A new ransomware family is going out via an exploit kit.

Called CryptoLuck, the new ransomware variant jumps on the legitimate GoogleUpdate.exe executable and leverages DLL hijacking to infect computers, along with demanding a 2.1 Bitcoin (around $1,500) ransom within 72 hours.

One Ransomware Tops Spam List
‘No More Ransomware’ Inks Global Partners
Ransomware Masked as Rockwell Update
Ransomware Attack Hurts MI Utility

The new threat, discovered by “Kafeine”, a Proofpoint researcher, is going out through the RIG-Empire (RIG-E) exploit kit, a toolkit that emerged last month. The distribution campaign leverages malvertising and is right now targeting visitors of adult websites. However, it could also start spreading through compromised sites and other vectors.

The ransomware spreads via a RAR SFX file which contains the crp.cfg, GoogleUpdate.exe, and goopdata.dll files, along with instructions to extract these into the %AppData%\76ff folder and to silently execute GoogleUpdate.exe.

Because the executable automatically looks in its folder for a DLL file to load, the malware authors have included a malicious goopdate.dll file in the package for the legitimate program to load into memory.

The ransomware conducted checks to determine if it is running in a virtual machine and if it is, it terminates itself.

Otherwise, the malware scans all mounted drives and unmapped network shares for files it can encrypt.

The malware uses AES-256 encryption and generates a unique AES encryption key for each of discovered files. This key is encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.

The ransomware appends the .[victim_id]_luck extension to the encrypted files and security researchers said the threat targets a couple hundred file extensions to encrypt. However, the malware skips files that contain specific strings: Windows, Program Files, Program Files (x86), ProgramData, AppData, Application Data, Temporary Internet Files, Temp, Games, nvidia, intel, $Recycle.Bin, and Cookies.

As soon as the encryption process has been completed, the malware displays a ransom note which provides users with detailed instructions on how to download the decryptor and make the ransom payment.

Leave a Reply

You must be logged in to post a comment.