During the last couple of days, a new ransomware campaign dubbed CryptoLuck was unveiled by the exploit kit expert @kafiene.
As stated in the detailed analysis published in Bleeping Computer, what makes this new ransomware variant so unique is that it is executed by a legitimate program signed by Google. The attackers exploit Google’s benign update utility to load a malicious DLL using a technique called DLL hijacking, thus enabling the ransomware to bypass many security solutions which rely on the identity of the host process.
Unfortunately, if you have already been struck by CryptoLuck there is very little you can do as the encryption algorithm seems to be robust and a unique decryption key is generated for each victim.
Using Malware’s Greatest Fears Against It
So, other than paying the cyber-crooks $1,500, what can you do? Fortunately, like many other malware families, before it unpacks its malicious payload, CryptoLuck performs a series of tests searching for traces of virtualization products and various other programs which imply it is executed in a hostile environment.
On a Minerva protected endpoint, our Minerva Anti-Evasion Platform makes the ransomware believe that its greatest fears have been realized, causing it to immediately halt execution– well before any damage is done.
Malicious DLL (goopdate.dll):