CryptoLuck – PREVENTED by Minerva

November 18, 2016

 |  

Minerva Research Team

A Google-Signed Ransomware?

During the last couple of days, a new ransomware campaign dubbed CryptoLuck was unveiled by the exploit kit expert @kafiene.

As stated in the detailed analysis published in Bleeping Computer, what makes this new ransomware variant so unique is that it is executed by a legitimate program signed by Google. The attackers exploit Google's benign update utility to load a malicious DLL using a technique called DLL hijacking, thus enabling the ransomware to bypass many security solutions which rely on the identity of the host process.

‍The legitimate Google updater is dropped alongside with the malicious DLL

Unfortunately, if you have already been struck by CryptoLuck there is very little you can do as the encryption algorithm seems to be robust and a unique decryption key is generated for each victim. 

Using Malware's Greatest Fears Against It

So, other than paying the cyber-crooks $1,500, what can you do? Fortunately, like many other malware families, before it unpacks its malicious payload, CryptoLuck performs a series of tests searching for traces of virtualization products and various other programs which imply it is executed in a hostile environment.

‍The malware tests if hints for a hostile environment are present

On a Minerva protected endpoint, our Environment Simulation Technology (EST) makes the ransomware believe that its greatest fears have been realized, causing it to immediately halt execution– well before any damage is done.

IoC

SHA-256

SFX Dropper:

d399d7eb0e02123a5262549f822bb06e27b4bc8749260363788a5e39a0ce5c2a

Malicious DLL (goopdate.dll):

434f25211aee63132486607a1d93e1031db4c366375c6b3f5af035eb9de17e40