Security Experts:

Connect with us

Hi, what are you looking for?



CryptoLuck Ransomware Emerges

A new ransomware family spotted for the first time recently is already being distributed via an exploit kit (EK).

A new ransomware family spotted for the first time recently is already being distributed via an exploit kit (EK).

Dubbed CryptoLuck, the new ransomware variant was discovered by “Kafeine”, a Proofpoint researcher and maintainer of the Malware don’t need Coffee blog. Noteworthy about the malware is that it abuses the legitimate GoogleUpdate.exe executable and leverages DLL hijacking to infect computers, in addition to asking for a 2.1 Bitcoin (around $1,500) ransom to be paid within 72 hours.

The new threat is being distributed through the RIG-Empire (RIG-E) exploit kit, a toolkit that emerged last month. The distribution campaign leverages malvertising and is targeting the visitors of adult websites, it seems. However, it could also start spreading through compromised sites and other vectors.

The ransomware spreads in the form of a RAR SFX file which contains the crp.cfg, GoogleUpdate.exe, and goopdata.dll files, along with instructions to extract these into the %AppData%76ff folder and to silently execute GoogleUpdate.exe. Because the executable automatically looks in its folder for a DLL file to load, the malware authors have included a malicious goopdate.dll file in the package for the legitimate program to load into memory.

The ransomware was observed performing a series of checks to determine if it is running in a virtual machine and terminates itself if that is the case. Otherwise, the malware scans all mounted drives and unmapped network shares for files that it can encrypt.

The malware uses AES-256 encryption and generates a unique AES encryption key for each of discovered files. This key is encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.

The ransomware appends the .[victim_id]_luck extension to the encrypted files and security researchers say that the threat targets a couple of hundreds of file extensions to encrypt. However, the malware skips files that contain specific strings: Windows, Program Files, Program Files (x86), ProgramData, AppData, Application Data, Temporary Internet Files, Temp, Games, nvidia, intel, $Recycle.Bin, and Cookies.

As soon as the encryption process has been completed, the malware displays a ransom note which provides users with detailed instructions on how to download the decryptor and make the ransom payment.

A Decryption Wizard walks the victims through making the payment and also waits for the operation to be completed, after which it informs the victim that the affected files will be automatically decrypted.

Related: CrySiS Ransomware Master Decryption Keys Released

Related: CryPy Ransomware Uses Unique Key for Each File

Related: DXXD Ransomware Encrypts Files on Unmapped Network Shares

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...