CryptoLuck is a ransomware that runs on Microsoft Windows. CryptoLuck also utilizes an interesting method of infecting a victim through the legitimate GoogleUpdate.exe executable and DLL hijacking. Once infected, a victim's data will be encrypted and then be given a 72 hour countdown to pay a 2.1 bitcoin, or approximately $1,500 USD, ransom payment.



CryptoLuck has been distributed via the RIG-E exploit kit. CryptoLuck uses a legitimate and code signed program from Google called GoogleUpdate.exe and DLL hijacking to install the ransomware.

CryptoLuck is is distributed using a RAR SFX file that includes the crp.cfg, GoogleUpdate.exe, and goopdate.dll files.  The SFX file also contains instructions that when it is executed it will extract these files into the %AppData%\76ff folder and then silently execute the GoogleUpdate.exe program.


When the GoogleUpdate.exe program is run, it will look for a DLL file called goopdate.dll file and load it. The problem is that it will first look for this file in the same folder that the GoogleUpdate.exe resides in. This allows a malware developer to create their own malicious goopdate.dll file and have it loaded by GoogleUpdate.

This is the case with the CryptoLuck developer, who had put all of the ransomware related code into their own malicious goopdate.dll file. Then when the legitimate GoogleUpdate.exe file is executed it loads the malicious DLL rather than the legitimate one normally used by Google. 

When CryptoLuck infects a computer it will first check to see if it is being run within a virtual machine, and if it is, the process will terminate. Otherwise, it will scan the computer, its mounted drives, and unmapped network shares for files that contain certain file extensions. According to Fabian Wosar of Emsisoft, when it detects a targeted file it will generate a unique AES encryption key for that file and encrypt the file using AES-256 encryption. This file's encryption key is then encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.

The current public RSA encryption key for CryptoLuck is:

-----END PUBLIC KEY-----

When files are encrypted they will have the .[victim_id]_luck extension appended to filename. For example, if a victim had an ID of 0054B131 and a file called test.jpg was encrypted by CryptoLuck its new name would be test.jpg.0054B131_luck. The original name of each encrypted file is then added as an entry under the HKCU\Software\sosad_[victim_idfile]\files key.

The files targeted by CryptoLuck are:

.3ds .3fr .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .apk .arch00 .arj .arw 
.asset .bar .bay .bc6 .bc7 .big .bik .bkf .bkp .blob .bpw .bsa .cas .cdr .cer .cfr 
.cr2 .crp .crt .crw .csv .d3dbsp .das .dazip .db0 .dba .dbf .dbx .dcr .der .desc 
.dmp .dng .doc .docm .docx .dot .dotm .dotx .dwfx .dwg .dwk .dxf .dxg .eml .epk 
.eps .erf .esm .fdb .ff .flv .forge .fos .fpk .fsh .gdb .gho .gpg .gxk .hkdb .hkx 
.hplg .hvpl .ibank .icxs .idx .ifx .indd .iso .itdb .itl .itm .iwd .iwi .jpe .jpeg 
.jpg .js .kdb .kdbx .kdc .key .kf .ksd .layout .lbf .litemod .lrf .ltx .lvl .m2 
.map .max .mcmeta .mdb .mdbackup .mddata .mdf .mef .menu .mlx .mpd .mpp .mpqge 
.mrwref .msg .myo .nba .nbf .ncf .nrw .nsf .ntl .nv2 .odb .odc .odm .odp .ods .odt 
.ofx .orf .p12 .p7b .p7c .pak .pdb .pdd .pdf .pef .pem .pfx .pgp .pkpass .ppj .pps 
.ppsx .ppt .pptm .pptx .prproj .psd .psk .pst .psw .ptx .py .qba .qbb .qbo .qbw 
.qdf .qfx .qic .qif .r3d .raf .rar .raw .rb .re4 .rgss3a .rim .rofl .rtf .rw2 .rwl 
.saj .sav .sb .sdc .sdf .sid .sidd .sidn .sie .sis .sko .slm .snx .sql .sr2 .srf 
.srw .sum .svg .sxc .syncdb .t12 .t13 .tar .tax .tbl .tib .tor .txt .upk .vcf 
.vcxproj .vdf .vfs0 .vpk .vpp_pc .vtf .w3x .wallet .wb2 .wdb .wotreplay .wpd .wps 
.x3f .xf .xlk .xls .xlsb .xlsm .xlsx .xxx .zip .ztmp

When CryptoLuck scans for files to encrypt, it will skip files whose names contain the following strings:

Program Files
Program Files (x86)
Application Data
Temporary Internet Files

When it has finished encrypting the files and available network shares, it will display a ransom note named %AppData%\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt. This ransom note will contain instructions on how to download the decryptor and make the ransom payment. The text of this ransom note is:

A T T E N T I O N !

Your important files encryption produced on this computer: photos, 
videos, documents, etc. Encryption was produced using a unique public key 
RSA-2048 generated for this computer. To decrypt files you need to obtain 
the private key.

If you see this text but don't see Decryptor Wizard window - please, 
disable any Firewalls and antivirus products, and download Decryptor 
Wizard on this URL:

You have 72 hours for payment.
After this time the private key will be destroyed.

For more info and support, please, contact us at this email address:

The victim will then be shown a Decryption Wizard that walks the victim through making a payment and then waits for the payment to be made. If a ransom payment is made, the decryptor states it will automatically decrypt the victim's files.

Files associated with CryptoLuck:


Registry entries associated with CryptoLuck:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate.exe	%AppData%\76ff\GoogleUpdate.exe
Community content is available under CC-BY-SA unless otherwise noted.