Lucky Ransomware Tricky to Decrypt

Published On Sun 09 Jan 2022 | Published By Cyber Crime Helpline LLP

Lucky Ransomware with .lucky extension is a far complicated type of ransomware with every file having a different id. Commander Sunil Srivastava (retd), Director Cyber Crime Helpline LLP, has disclosed that the ransomware decryption of this type is highly complicated to decrypt. Github has however claimed to decrypt .lucky ransomware and till now no other methodology seems to works.

Lucky ransomware can be spread and executed on Windows and Linux platforms. Its main functions are “file encryption”, “propagation infection” and “mining”. It is known fact that the lucky ransomware is similar to the Satan ransomware, since the overall structure has not changed much, and the CNC server has not changed as well. The Satan ransomware changed over time: it switched from profiting from blackmail to mining, and the new version of the lucky ransomware has combined extortion with mining.

Lucky ransomware traverses the folder, encrypts the file with the following suffix name, and modifies the suffix to .lucky:

bak,sql,mdf,ldf,myd,myi,dmp,xls,xlsx,docx,pptx,eps,txt,ppt,csv,rtf,pdf,db,vdi,vmdk,vmx,pem,pfx,cer,psd

From the operating system perspective, the encrypted file has an exact modification time that can be used to determine the key generation timestamp.

Recommended Solution:

Monitoring of the port 443 which is generally common with secure browsing will need to be checked with the processes and executables downloaded in the background.

Preloader: fast.exe/ft32, a small sized file to load cryptographic modules and propagation modules.

Encryption module: cpt.exe/cry32, encrypts files of the computer

Propagation module: conn.exe/conn32, spreads and infects by using other various application vulnerabilities.

Mining module: mn32.exe/mn32, connects own-built mine pool addresses

Service module: srv.exe, creates a service under Windows operating system for its execution.