CryptoLuck Ransomware Infects Victims Using Signed Google Update (Nov 18, 2016)


The Sonicwall Threats Research team observed reports of a new Variant of Ransomware family named GAV: Cryptoluck.A actively spreading in the wild.

The Malware injects its own into legitimate Google Update Service to avoid detection by Systems administrators.

Infection Cycle:

The Malware uses the following icons:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile% Application Data76ffGoogleUpdate.exe [ Legitimate Google Update Service ]

    • %Userprofile% Application Data76ffgoopdate.dll [ Injected DLL ]

    • %Userprofile% Application Data76ffcrp.cfg

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    • %Userprofile% Application Data76ffGoogleUpdate.exe

Once the computer is compromised, the malware copies its own executable file to %Userprofile% Application Data76ff folder.

The GoogleUpdate.exe is a legitimate Google Update Service that is signed by Google as shown below:

The Malware encrypts the victims files with a strong RSA 2048 encryption algorithm until the victim pays a fee to get them back. When files are encrypted they will have the .[victim_id]_luck extension appended to filename.

After encrypting all the personal documents and files it shows the following text file:

Once infected, the victims data is encrypted and given a 72 hour countdown to pay 2.1 bitcoins to the cyber criminals in exchange of the decryption key that supposedly allows recover of the encrypted files.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cryptoluck.A (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.