What is Lucky Ransomware?
Lucky is a type of ransomware that was discovered by our researchers during a routine inspection of new submissions to the VirusTotal website. It belongs to the Phobos ransomware family.
Table of Contents
Encryption and Ransom Notes
Lucky ransomware encrypts files on the victim's machine and modifies their filenames. The original titles are appended with a unique ID, the cyber criminals' email address, and a ".Lucky" extension. For example, a file named "1.jpg" would appear as "1.jpg.id[9ECFA84E-3451].[dopingen@rambler.ru].Lucky".
After the encryption process is complete, Lucky creates ransom notes in the form of a pop-up window ("info.hta") and a text file ("info.txt").
Risks and Consequences of Paying the Ransom
The ransom note in the text file simply informs the victim that their files have been encrypted and instructs them to contact the attackers. The note in the pop-up window provides more details about the infection, stating that the victim must pay a ransom in Bitcoin cryptocurrency to decrypt their data. The attackers allow the victim to test the decryption process by sending up to five encrypted files.
However, paying the ransom does not guarantee that the decryption keys or software will be provided. In fact, many victims who pay the ransom do not receive the promised decryption tools. It is strongly advised against paying the ransom, as it supports illegal activities and there is no guarantee of data recovery.
Preventing and Removing Lucky Ransomware
To prevent Lucky ransomware from encrypting more files, it is crucial to eliminate it from the operating system. However, removing the ransomware will not restore the compromised files. The only solution is to recover the files from a backup, if one is available. Storing backups in multiple separate locations, such as remote servers and unplugged storage devices, is highly recommended for data safety.
In addition to Lucky ransomware, there are many other ransomware-type programs in existence. Some examples include Rajah, Snea575 (Chaos), Waqq, and Gaqq. While these programs operate similarly, they differ in the cryptographic algorithms they use and the size of the ransom demanded.
Ransomware, including Lucky, is primarily distributed through phishing and social engineering techniques. Malicious programs are often disguised as or bundled with ordinary software or media.
Infectious files can be in the form of archives (ZIP, RAR), executables (.exe, .run), documents (Microsoft Office, Microsoft OneNote), JavaScript, and more.
