Proofpoint security researcher and exploit kit expert Kafeine have discovered a new ransomware known as CryptoLuck which is being discovered by the RIG-E exploit kit. This uncommon distribution may account for a larger amount of victims.
Kafeine claims to have spotted the distribution through malvertising on the Adult websites and there is a possibility that it is distributed through other compromised sites as well.
Ransomware is what appears to be the most dangerous virus due to the low chance of recovery. CryptoLuck infects the victim’s system through the legitimate and code signed program from Google called GoogleUpdate.exe executable and DLL hijacking. Once infected, all valuable user data will be locked with .(victim’s ID)_luck extension and a ransom note will appear reading, “@WARNING_FILES_ARE_ENCRYPTED.(victim’s_id).txt” and 72 hours will be given to pay a 2.1 bitcoin or approximately $1,500 USD as ransom. Victims will be also requested to contact developers at email: YAFUNN@YAHOO.COM. This ransomware may also be dubbed: YafunnLocker ransomware, Yafunn ransomware, Luck ransomware or LuckLocker ransomware.
When CryptoLuck scans files to encrypt, it will skip the ones with following strings and target all others.
WINDOWS Program Files
Program Files (x86)
ProgramData
AppData
Application Data
Temporary Internet Files
Temp
Games
nvidia
intel
$Recycle.Bin
Cookies
Since removing malware manually may require high computer skills and knowledge, it is bet advisable to use an anti-malware tool.
Ransomware attacks are rising to disturbing levels which are making cybercrime more dangerous. While good ransomware can be trusted to return the access after payment, the low-quality ransomware is always doubtful because they don’t work as expected. Files are unlocked after receiving the ransom with the help of RSA key which is stored at developers command and control server (C&C).
Many suggest that if one falls a prey to the attack, they should pay the ransom and hope that all the data gets back, however in this case one has to risk losing money and still be not sure if the files will be unlocked or not.
The best option is to have a backup on a hard drive and perform a system restore. To remove the ransomware, any anti-malware software can be run on the system which will remove the virus but the files will remain locked. One has to decrypt the files but before performing it one should scan the computer for possible data loss.