{
	"id": "cf455504-b29a-4b9d-be53-db8fda788f4a",
	"created_at": "2026-04-06T00:08:46.141759Z",
	"updated_at": "2026-04-10T03:21:43.201479Z",
	"deleted_at": null,
	"sha1_hash": "0add6f16cf5f4236f68b95d2e390b2d66f773072",
	"title": "CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1512812,
	"plain_text": "CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits\r\nBy Lawrence Abrams\r\nPublished: 2016-11-15 · Archived: 2026-04-05 13:24:07 UTC\r\nA new ransomware called CryptoLuck has been discovered by Proofpoint security researcher and exploit kit expert Kafeine\r\nthat is being distributed via the RIG-E exploit kit. While it has become common to see new ransomware variants being\r\ndistributed daily, it is not as common to find new ransomware infections being distributed via exploit kits.  Seeing this type\r\nof activity typically indicates that a particular ransomware will see much wider distribution and thus a larger amount of\r\nvictims.\r\nCryptoLuck also utilizes an interesting method of infecting a victim through the legitimate GoogleUpdate.exe executable\r\nand DLL hijacking. Once infected, a victim's data will be encrypted and then be given a 72 hour countdown to pay a\r\n2.1 bitcoin, or approximately $1,500 USD, ransom payment.\r\nCryptoLuck\r\nCryptoLuck distributed via Exploit kits after Redirection from Compromised Websites\r\nand Malvertising Chains\r\nAccording to Kafeine, CryptoLuck has been spotted being distributed via the RIG-E (Empire) exploit kit through\r\nmalvertising. While Kafeine only specifically saw this sample through advertising in the Adult web site space, he said there\r\nis a good possibility of it also being distributed through other sources such as compromised sites. \r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 1 of 8\n\nRIG-E Exploit Kit installing CryptoLuck\r\nSource: Kafeine\r\nCryptoLuck installed via bundled Googleupdate.exe and DLL Hijacking\r\nAn interesting feature of CryptoLuck is that it uses a legitimate and code signed program from Google called\r\nGoogleUpdate.exe and DLL hijacking to install the ransomware. To understand how this works, we need to take a look at\r\nhow the ransomware is installed.\r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 2 of 8\n\n0:00\r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 3 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nThis ransomware is distributed using a RAR SFX file that includes the crp.cfg, GoogleUpdate.exe, and goopdate.dll files.\r\n The SFX file also contains instructions that when it is executed it will extract these files into the %AppData%\\76ff folder\r\nand then silently execute the GoogleUpdate.exe program.\r\nCryptoLuck RAR SFX File\r\nThe GoogleUpdate.exe is a legitimate Google program that is signed by Google as shown below.\r\nSigned Google Executable\r\nWhen the GoogleUpdate.exe program is run, it will look for a DLL file called goopdate.dll file and load it. The problem is\r\nthat it will first look for this file in the same folder that the GoogleUpdate.exe resides in. This allows a malware developer to\r\ncreate their own malicious goopdate.dll file and have it loaded by GoogleUpdate.\r\nThis is the case with the CryptoLuck developer, who had put all of the ransomware related code into their own malicious\r\ngoopdate.dll file. Then when the legitimate GoogleUpdate.exe file is executed it loads the malicious DLL rather than the\r\nlegitimate one normally used by Google. \r\nHow CryptoLuck Encrypts your Files\r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 4 of 8\n\nWhen CryptoLuck infects a computer it will first check to see if it is being run within a virtual machine, and if it is, the\r\nprocess will terminate. Otherwise, it will scan the computer, its mounted drives, and unmapped network shares for files that\r\ncontain certain file extensions. According to Fabian Wosar of Emsisoft, when it detects a targeted file it will generate\r\na unique AES encryption key for that file and encrypt the file using AES-256 encryption. This file's encryption key is then\r\nencrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.\r\nThe current public RSA encryption key for CryptoLuck is:\r\n-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnoamWzd2h7DKzMKYAhdJ\r\nqoQDpVAd0mirVhWElZsstWdTVfb4WxYMftVJx1CN2MG0FxSF7Rp825Iokm/6MWry\r\ncXeaafM5vK/AD7j9X/4oxuxZI1zb+BJBvN/kzThDeH2oSmVsSuvT1JlIqn7iGfrG\r\nD93Ej7ENL53r0SVFXFFB6WhOji54eJlLTkJGH2cYubsREvobBQ4SytKUxEkxbaHp\r\n6kOM9l3UOaJm6tEepeQmiW4ZaGJmGLGgc1dL0cw+YPooz8egLuLSvLGnBw4W+RyN\r\nVHKamYLN7JX11rzw5ZnhknS7BFKcSY0nV0tD+CgcQsaaM06qMmsMTT1vW9wtotDX\r\nFwIDAQAB\r\n-----END PUBLIC KEY-----\r\nWhen files are encrypted they will have the .[victim_id]_luck extension appended to filename. For example, if a victim had\r\nan ID of 0054B131 and a file called test.jpg was encrypted by CryptoLuck its new name would be test.jpg.0054B131_luck.\r\nThe original name of each encrypted file is then added as an entry under the HKCU\\Software\\sosad_[victim_idfile]\\files\r\nkey.\r\nCryptoLuck Encrypted Files\r\nThe files targeted by CryptoLuck are:\r\n.3ds .3fr .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .apk .arch00 .arj .arw .asset .bar .bay .bc6 .bc7 .big .bik .bk\r\nLast, but not least, when CryptoLuck scans for files to encrypt, it will skip files whose names contain the following strings:\r\nWindows\r\nProgram Files\r\nProgram Files (x86)\r\nProgramData\r\nAppData\r\nApplication Data\r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 5 of 8\n\nTemporary Internet Files\r\nTemp\r\nGames\r\nnvidia\r\nintel\r\n$Recycle.Bin\r\nCookies\r\nWhen it has finished encrypting the files and available network shares, it will display a ransom note\r\nnamed %AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt. This ransom note will contain\r\ninstructions on how to download the decryptor and make the ransom payment. The text of this ransom note is:\r\nA T T E N T I O N !\r\nYOUR PERSONAL FILES ARE ENCRYPTED!\r\nPERSONAL ID: 0054B131\r\nYour important files encryption produced on this computer: photos, videos, documents, etc. Encryption was produced using a\r\nIf you see this text but don't see Decryptor Wizard window - please, disable any Firewalls and antivirus products, and dow\r\nhttp://dropmefiles.com/304718\r\nYou have 72 hours for payment.\r\nAfter this time the private key will be destroyed.\r\nFor more info and support, please, contact us at this email address:\r\nYAFUNN@YAHOO.COM\r\nThe victim will then be shown a Decryption Wizard that walks the victim through making a payment and then waits for the\r\npayment to be made. If a ransom payment is made, the decryptor states it will automatically decrypt the victim's files.\r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 6 of 8\n\nWaiting for Payment\r\nUnfortunately, as each file is encrypted using their own unique AES key and only the malware developer knows the master\r\nRSA decryption key, this ransomware is not currently decryptable.  For those who are looking for further support or who\r\nhave questions regarding CryptoLuck, you can ask in the CryptoLuck Help and Support Topic.\r\nFiles associated with CryptoLuck:\r\n%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.0054B131.txt\r\n%AppData%\\info_[vicitm_id].info\r\n%AppData%\\76ff\\\r\n%AppData%\\76ff\\crp.cfg\r\n%AppData%\\76ff\\GoogleUpdate.exe\r\n%AppData%\\76ff\\goopdate.dll\r\nRegistry entries associated with CryptoLuck:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleUpdate.exe %AppData%\\76ff\\GoogleUpdate.exe\r\nHKCU\\Software\\sosad_[victim_id]\r\nIOCs:\r\nSHA256: d399d7eb0e02123a5262549f822bb06e27b4bc8749260363788a5e39a0ce5c2a\r\nNetwork Communication:\r\nhttp://pandares.top/two/index.php\r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nhttp://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/"
	],
	"report_names": [
		"cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits"
	],
	"threat_actors": [],
	"ts_created_at": 1775434126,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0add6f16cf5f4236f68b95d2e390b2d66f773072.pdf",
		"text": "https://archive.orkl.eu/0add6f16cf5f4236f68b95d2e390b2d66f773072.txt",
		"img": "https://archive.orkl.eu/0add6f16cf5f4236f68b95d2e390b2d66f773072.jpg"
	}
}