A new ransomware variant could potentially be targeting many victims through a combination of malvertising and tricky download techniques.

RIG-E Exploit Kit Delivers CryptoLuck Ransomware

While security researchers routinely find variants of common ransomware in the wild, a Proofpoint security researcher going by the name Kafeine discovered a ransomware variant spread by the RIG-E exploit kit. The use of an exploit kit for the dissemination of malware usually means that the payload — whatever it may be — is aimed at a large pool of victims.

Bleeping Computer reported that the RIG-E (Empire) exploit kit distributes its ransomware payload via malvertising. The ransomware, called CryptoLuck, uses a legitimate Google Update executable and a Dynamic Link Libraries (DLL) hijacking method simultaneously.

Through the use of self-extracting files and malware bundles, CryptoLuck can silently execute its programs and leave no trace.

DLL Hijacking

The GoogleUpdate.exe file is genuine, but operates under certain rules that a malware developer can exploit. When run, it first looks for a DLL file called goopdate.dll and loads it. Since it first looks for the file in the same folder that it came in, the malware developer can trick the .exe program to load the malicious DLL file instead.

Once the CryptoLuck ransomware executes, it checks if it is operating within a virtual machine. If it is, it terminates automatically. Otherwise, it scans the host computer, its mounted drives and any unmapped network shares for files that contain specific extensions.

Once it finds what it wants, the malware creates a unique Advanced Encryption Standard (AES) encryption key. It then scrambles the file using AES-256 encryption. The key is further encrypted with an embedded public RSA key, and the result is put into the ransomed file.

Since the master RSA key belongs to the malware developer, there is currently no decryption tool. Victims can only hope experts will devise an alternate recovery method.