Lucky Ransomware

Lucky Ransomware Description

The Lucky Ransomware is an encryption ransomware Trojan detected in the middle of November 2018, when it infected the servers of some companies in the financial sector. Ransomware threats are designed to use encryption algorithms to make victims' files inaccessible so that they can demand a ransom payment in exchange for renewed access to the affected data. Analysis of this malware shows that it has almost identical structure and the same CNC server as a previously detected ransomware known as Satan. Satan Ransomware itself has evolved over time, changing its sources of profit from blackmailing to mining, while currently with the new variant Lucky the threat actors have combined the crypto currency mining function with money extortion capabilities.

Lucky Is a Variant of Satan Ransomware

The main functions that Lucky Ransomware is designed to perform are file encryption, propagation, and mining. For the file encryption Lucky uses the AES encryption algorithm.For its propagation purpose, Lucky uses certain well known server-side vulnerabilities, while for gaining extra profits from mining the malware uses a self-built mine pool address which is the same as the one used by Satan Ransomware. The overall architecture of Lucky matches the structure of Satan Ransomware. It includes several components, like a very small file named “fast.exe/ft32” which pre-loads the propagation and cryptographic modules. Then, the malware employs an encryption module named “cpt.exe/cry32” which encrypts the files, while a propagation module “conn.exe/conn32” spreads the malware by exploiting the corresponding system vulnerabilities. Finally, a mining module named “mn32.exe/mn32 makes the connection to the mine pool address and a service module called “srv.exe” ensures the stable execution by creating a Windows service.

Lucky Ransomware Doesn't Bring Any Luck to Its Victims

Lucky Ransomware infects Windows and Linux platforms and it has a worm-like design that allows it to spread on its own and without any human interaction by exploiting ten different and well-known vulnerabilities in Windows and Linux server platforms. Cyber security experts have managed to identify these vulnerabilities and they are the following:

  • JBoss deserialization vulnerability (CVE-2013-4810,CVE-2017-12149)
  • JBoss default configuration vulnerability (CVE-2010-0738)
  • Spring Data Commons remote code execution vulnerability (CVE-2018-1273)
  • Windows SMB remote code execution vulnerability (MS17-010)
  • Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
  • Tomcat web admin console backstage weak password brute-force attack
  • WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
  • WebLogic WLS component vulnerability (CVE-2017-10271)
  • Apache Struts 2 remote code execution vulnerability (S2-045)
  • Apache Struts 2 remote code execution vulnerability (S2-057)

Lucky Ransomware imposes extensive risk of infection as all of these vulnerabilities are easy to exploit and actual exploit are available publicly on the Internet. That allows threat actors to attack vulnerable systems with almost no customization of the malware script. Organizations which have not yet patched their systems are at a higher risk as some of the exploited vulnerabilities have been announced months ago.

User-generated Files Are the Main Target for Encryption

In order to encrypt files, the malware traverses the folder and finds the targeted files through their specific extensions. The ransomware skips system files as they are needed for the normal functioning of the infected machine, while files targeted for encryption by Lucky include all kinds of user-generated files like numerous media file types, documents, databases and others:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

All files compromised by the attack are renamed with the addition of a contact email, a random string of characters, and the file extension '.lucky,' all added to the compromised data. Another analyzed sample in December 2018 has used “.nmare” instead of “.lucky” for the names of the corrupted files.

The Lucky Ransomware's Ransom Demand

The criminals have grounds to demand a ransom payment from the victim because threats like the Lucky Ransomware are designed to encrypt victims' files. The Lucky Ransomware ransom demand is contained in a text file named '_How_To_Decrypt_My_File_.txt' that is dropped on the infected computer's desktop. In some other samples, the ransom note file was called “How_To_Decrypt_My_File.” The following is the text contained in the Lucky Ransomware ransom note:

'I am sorry to tell you.

Some files has crypted

if you want your files back , send 1 bitcoin to my wallet

my wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd

If you have any questions, please contact us.


The Lucky Ransomware's ransom note should be ignored and paying any ransom associated with threats like the Lucky Ransomware should be avoided!

Protecting Your Data from Threats Like the Lucky Ransomware

The best protection against threats like the Lucky Ransomware is to have backup copies of your files. These backup copies can be safer if stored in a secure location, such as the cloud. Apart from file backups, computer users should install a security program which, while not capable of restoring the encrypted data, can prevent the Lucky Ransomware from being installed in the first place. Since ransomware attacks often take advantage of poorly protected networks and outdated software and operating systems, it is important that computer users make sure that their computers are always up-to-date and adequately protected from malware threats.

Do You Suspect Your PC May Be Infected with Lucky Ransomware & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Lucky Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Related Posts

One Comment

  • Connie :

    Hello, Great information. However, I have thousands of files encryptied. How does someone remove it now from the files the virus has attached itself too? or should we just delete all the locks files and accept the loss

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.