LucKY_Gh0$t Ransomware Disrupts Cyber Systems

A Ransomware Based on Chaos

LucKY_Gh0$t Ransomware is a newly identified cyber threat derived from the Chaos ransomware family. Once it infiltrates a system, it executes a series of malicious actions, including encrypting files, altering filenames, and changing the desktop wallpaper. Additionally, it leaves behind a ransom note named "read_it.txt," which serves as an ultimatum to the victim.

One of LucKY_Gh0$t's distinguishing features is the way it renames encrypted files. It appends four random characters to the original file extension, creating unpredictability in its attack pattern. For instance, a file originally named "document.pdf" might be altered to "document.pdf.1pbx," and so on. This method complicates manual recovery efforts and heightens the urgency for victims.

The Ransom Demand and Threats

The ransom note left by LucKY_Gh0$t informs victims that their files have been encrypted and that they must pay a fee to obtain the necessary decryption tools. The attackers claim that upon receiving the payment, they will supply a decryption program to restore access to the locked data.

The note also warns victims against attempting to alter or delete any encrypted files, stating that such actions could interfere with the decryption process. Additionally, it includes a specific decryption ID, which victims must reference when communicating with the attackers via a messaging service called Session. To further pressure their targets, the cybercriminals threaten to carry out repeated attacks on affected organizations if payment is not made.

Here's the full text from the note:

~~~LucKY_Gh0$t~~~

>>>> All your important files are encrypted !!!

The data will not be decrypted if you do not pay the ransom

>>>> What guarantees that we will not deceive you?

We are not a politically motivated group and we do not need anything other than your money.
    
If you pay, we will provide you the programs for decryption and we will delete your data.
Life is too short to be sad. Be not sad, money, it is only paper.
    
If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.
Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.

>>>> Contact:

Download and install SESSION (hxxps://getsession.org)
Our SESSION id:
05e17CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHV40bde926cf1cc3aedf1115ade5655
Write to a chat and wait for the answer, we will always answer you.
Sometimes you will need to wait for our answer because we attack many companies.

>>>> Your personal DECRYPTION ID: U0001

>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

The Dangers of Paying the Ransom

While many victims feel compelled to comply with the demands in hopes of retrieving their files, paying the ransom is not advisable. There is no guarantee that the attackers will keep their word and provide the promised decryption tool. In many cases, victims who pay are either ignored or subjected to further extortion attempts.

Moreover, ransomware infections may continue spreading within a network as long as the threat remains active. If left unchecked, it could cause additional encryptions, making data recovery even more difficult. Removing the ransomware as soon as possible is crucial to prevent further damage and protect other connected systems.

What Ransomware Does to Victims

Ransomware is malicious software created to block access to files or entire systems until a payment is made. Cybercriminals behind these attacks often demand cryptocurrency payments, such as Bitcoin, to make transactions harder to trace. In addition to encrypting data, some ransomware variants threaten to publish stolen information online if victims refuse to pay.

LucKY_Gh0$t follows this model by encrypting crucial files and pressuring victims into paying for their release. The financial and operational disruptions caused by such threats can be devastating for everyone. Other examples of ransomware with similar tactics include Aptlock, YE1337, and Contacto.

How Ransomware Infects Systems

Attackers deploy ransomware using various infiltration techniques. One of the most common methods involves sending malicious email attachments or links disguised as legitimate communications. Victims who unknowingly open these attachments or click on the links may trigger the ransomware's execution, allowing it to spread across their devices.

Additionally, cybercriminals use deceptive tactics such as distributing ransomware through pirated software, fraudulent key generators, and misleading technical support scams. Other infection vectors include compromised websites, malicious advertisements, infected USB drives, and vulnerabilities in outdated software. Once executed, the ransomware can quickly encrypt files and demand a ransom.

Key Takes

Given the increasing sophistication of ransomware threats, users must adopt preventive measures to safeguard their systems. It is essential to exercise caution when dealing with unsolicited emails, especially those containing attachments or embedded links. Refrain from downloading software from unofficial sources, as these often harbor hidden threats.

Keeping operating systems and software up to date is also critical, as attackers frequently exploit known security flaws. Employing reliable cybersecurity tools and regularly backing up important data can further reduce the risks associated with ransomware attacks. By maintaining vigilance and implementing strong security practices, everyone can better protect themselves against threats like LucKY_Gh0$t.