A dangerous ransomware virus has appeared on the dark web, known by the name CryptoLuck. The virus uses a powerful AES cipher to encrypt the files on the compromised computer after which generate a custom AES decryption keys and sends them to the cyber-criminals. Users are extorted for the high amount of 2.1 BTC in order to get access back to their files via the unlock key. Users are advised to immediately backup their files in case they run into CryptoLuck Ransomware and those who have already ran into the virus are strongly advised to read this article and learn how to remove it and try to restore your files using the alternative techniques suggested.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” on how to pay 2.1 BTC as a ransom payoff. Changed file names and the file-extension _luck has been used.|
|Detection Tool|| See If Your System Has Been Affected by CryptoLuck |
Malware Removal Tool
|User Experience||Join our forum to Discuss CryptoLuck.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
More Information on CryptoLuck
How Is CryptoLuck Distributed
To be distributed out there, CryptoLuck is a ransomware virus that has undertaken an ambitious campaign. It utilizes a fake program that goes by the name of “GoogleUpdate.exe”. This fake update program is supported by the RIG-E exploit kit, also referred to as “Empire”. This fake Google Update may be slithered via many techniques such as a drive-by download which is caused by advertisements of a malicious character. Such advertisements may be a part of a advertising campaign distributed via adware, browser hijackers and other PUPs installed on the compromised computer via bundling downloads.
After clicking on an altered advertisement, the user may not notice how the virus is automatically downloaded and started on his computer and after this has been done an infection has been conducted. This results in the malicious modules of the CryptoLuck ransomware being dropped possibly in the key Windows folder %AppData% under different randomly generated names names.
The interesting part regarding infection is that the original GoogleUpdate file is not a harmless entity, because it is primarily focused on managing updates for Google apps. The malicious GoogleUpdate.exe file is signed so that it looks like the original updater.
CryptoLuck Ransowmare – Post-Infection Analysis
After having infected the user, the ransomware virus aims to detect whether it is activated on a real Windows or just running on a virtual drive and if it is running on a VM, it automatically shuts down.
But if the virus is running on an actual Windows OS, CryptoLuck begins to encrypt a wide variety of file types, for example:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com
After it detects the files it is instructed to encode, the CryptoLuck malware alters segments of data in the file’s code with an AES encryption algorithm. This is enough to make the file seem corrupt and make it no longer openable. The CryptoLuck malware also appends a unique identification number to the encrypted files which is alpha numerical and they appear like the following:
After the encryption has been completed, CryptoLuck ransomware drops a pop-up program that gives the user a deadline to pay the ransom as well as the following ransom note:
“Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The singe copy of the private key which will allow you to decrypt the files located on a server on the Internet. The server will destroy the key after a time specified on this window. After that, nobody and newer will be able to restore files…
To obtain the private key for this computer, which will automatically decrypting files, you need to pay a certain amount for our labor.
ANY ATTEMPT TO REMOVE OR DAMAGE THIS SOFTWARE WILL LEAD TO THE IMMEDIATE DESTRUCTION OF THE PRIVATE KEY BY SERVER!”
CryptoLuck Ransomware – Conclusion, Removal and Restoration of _luck Files
The CryptoLuck ransomware also has a support e-mail – [email protected] on which the victims can contact the cyber-criminals. However it is highly advisable not to pay the ransom and not to negotiate with criminals since the simple idea of trusting them is a further risk for you. This is why it is recommended to remove the virus and while researchers are looking for a decryption method which is 100% working, to follow our alternative file restoration solutions in the removal instructions below.