CryptoLuck targets Windows OS and is distributed via the RIG exploit kit through malvertising. It infects systems through a legitimate code-signed GoogleUpdate.exe file and DLL hijacking. CryptoLuck has anti-detection features which allow it to check to see if it’s running within a virtual machine. If so, it terminates its process. If not, it searches for specific files on local drives, mounted drives, and even unmapped network shares. Once it locates the targeted files, it encrypts them using AES-256 and appends a file name extension in the following format: .[victim_id]_luck. CryptoLuck then displays a ransom note named in the following location and format: %AppData%\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt. The malicious actors behind the campaign threaten to delete the decryption key if the victim does not pay the ransom within 72 hours. The ransom payment demand is 2.1 Bitcoin.
- Bleeping Computer provides more information about CryptoLuck here.
- The NJCCIC is not aware of any decryption tools available for CryptoLuck.