L00KUPRU Ransomware Demands $1500 in Bitcoin

Our team discovered L00KUPRU, a ransomware variant associated with the Xorist family. This ransomware encrypts files, displays a pop-up window, and generates a ransom note named "HOW TO DECRYPT FILES.txt".

Furthermore, L00KUPRU alters filenames by adding its extension (".L00KUPRU"). For instance, it changes "1.jpg" to "1.jpg.L00KUPRU", "2.png" to "2.png.L00KUPRU", and so forth.
The ransom note indicates that the files on the device have been encrypted, rendering them inaccessible unless a payment of $1500 in Bitcoin (BTC) is made. It also mentions a discount available if contact is made within four days.

The note provides contact information for reaching the attackers, including an ICQ number for a phone application and an email address (kil4tx@secmail.pro). Additionally, it includes a Bitcoin wallet address for sending the ransom payment. The note cautions against altering the encrypted files or device settings, as doing so may prevent file restoration.

L00KUPRU Ransom Note Demands $1,500 in Bitcoin

The full text of the L00KUPRU ransom note reads as follows:

Device ID :-
The device files have been encrypted at the moment and it is impossible to access them at the moment except when you pay the amount of 1500 $ in BTC by currency you have 4 days to get a discount
Communication ways :-
Phone Application ICQ :747201461
Email : kil4tx@secmail.pro
WALLET BTC : 12et3ym4PnDzc9L5AfXyJz7bTfb8zvc8Hn
Note Do not tamper with the files or settings of the device Tip because if tampered with, we will not be able to restore your files
All rights reserved : Anonymous ? .

How is Ransomware Usually Distributed Online?

Ransomware is typically distributed online through various methods, leveraging vulnerabilities in systems, human behavior, and technological loopholes. Here are some common distribution methods:

Phishing Emails: Attackers often use phishing emails to distribute ransomware. These emails contain malicious attachments or links that, when clicked or opened, execute the ransomware payload. Phishing emails may appear to be from legitimate sources, such as banks, government agencies, or trusted companies, tricking users into taking action that leads to ransomware infection.

Malvertising: Malicious advertising, or malvertising, involves embedding ransomware into online advertisements displayed on legitimate websites. Users unknowingly download ransomware when they click on these ads or visit compromised web pages.

Exploit Kits: Exploit kits are tools used by cybercriminals to exploit vulnerabilities in software and deliver ransomware automatically. When users visit compromised or malicious websites, exploit kits scan their systems for vulnerabilities and deliver ransomware payloads tailored to exploit those weaknesses.

Drive-by Downloads: Drive-by downloads occur when ransomware is automatically downloaded and installed on a user's device without their consent while visiting a compromised website. These downloads often exploit vulnerabilities in web browsers or browser plugins.

Remote Desktop Protocol (RDP) Attacks: Attackers exploit insecure RDP connections to gain unauthorized access to a system, where they can then install ransomware manually. Weak or default passwords on RDP services make systems vulnerable to such attacks.

Peer-to-Peer (P2P) Networks: Ransomware can be distributed through peer-to-peer file-sharing networks, where users unknowingly download infected files. Cybercriminals often disguise ransomware as legitimate software or media files to entice users to download and execute them.

Software Vulnerabilities: Exploiting known vulnerabilities in software and operating systems is another common method for distributing ransomware. Attackers exploit unpatched vulnerabilities to gain access to systems and install ransomware without the user's knowledge.