Updated: YafunnLocker / CryptoLuck Ransomware Virus (Removal Steps and Protection Updates)

The YafunnLocker ransomware is a screenlocking type malware that is distributed via the RIG exploit kit and infects various targets. Learn more about the threat in our comprehensive removal guide. The virus is also known as CryptoLuck ransomware.


Name
YafunnLocker Ransomware

File Extensions
file_name.[A-F0-9]{8}_luck extension.

Ransom
Varies

Special Feature
Screen Lock Function

Solution #1
Use an advanced anti-malware tool to remove YafunnLocker ransomware.

Solution #2
YafunnLocker ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

Distribution
Spam Email Campaigns, Exploit kits, malicious ads & etc.

YafunnLocker Ransomware Description

Proofpoint Security researchers have discovered a new malware threat known as the CryptoLuck ransomware. Upon infection the virus encrypts target user data and activates a 72-hour time limit in which the victim has to pay the ransom sum of 2.1 bitcoins to recover their files.

When the malware is downloaded on the victim computer it will first perform a virtual machine check. If such an environment is detected CryptoLuck terminates itself. This is to dispose of any sandbox, honeypot or virtual machines that have been set up intentionally by system or network administrators.

If a working victim machine has been compromised the CryptoLuck ransomware will start to scan the local mounted drives and the network shares for all file types that are hardcoded into the virus. When a target file is detected the virus generates an unique AES key for that file and encrypts it with the AES-256 cipher. The encryption key is then encrypted once again with an embedded public RSA key, the resulting file is gain embedded into the encrypted file.

The researchers were able to uncover the public RSA key:

—–BEGIN PUBLIC KEY—–
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnoamWzd2h7DKzMKYAhdJ
qoQDpVAd0mirVhWElZsstWdTVfb4WxYMftVJx1CN2MG0FxSF7Rp825Iokm/6MWry
cXeaafM5vK/AD7j9X/4oxuxZI1zb+BJBvN/kzThDeH2oSmVsSuvT1JlIqn7iGfrG
D93Ej7ENL53r0SVFXFFB6WhOji54eJlLTkJGH2cYubsREvobBQ4SytKUxEkxbaHp
6kOM9l3UOaJm6tEepeQmiW4ZaGJmGLGgc1dL0cw+YPooz8egLuLSvLGnBw4W+RyN
VHKamYLN7JX11rzw5ZnhknS7BFKcSY0nV0tD+CgcQsaaM06qMmsMTT1vW9wtotDX
FwIDAQAB
—–END PUBLIC KEY—–

The compromised files are renamed with the .[victim_id]_luck extension.

The original name of every compromised file is added to a registry value located in the following Windows Registry location:

HKCU\Software\sosad_[victim_idfile]\files

The following file types are affected by the CryptoLuck ransomware:

.3ds .3fr .4db .4dd .7z .7zip .accdb .accdt .aep .aes .ai .apk .arch00 .arj .arw .asset .bar .bay .bc6 .bc7 .big .bik .bkf .bkp .blob .bpw .bsa .cas .cdr .cer .cfr .cr2 .crp .crt .crw .csv .d3dbsp .das .dazip .db0 .dba .dbf .dbx .dcr .der .desc .dmp .dng .doc .docm .docx .dot .dotm .dotx .dwfx .dwg .dwk .dxf .dxg .eml .epk .eps .erf .esm .fdb .ff .flv .forge .fos .fpk .fsh .gdb .gho .gpg .gxk .hkdb .hkx .hplg .hvpl .ibank .icxs .idx .ifx .indd .iso .itdb .itl .itm .iwd .iwi .jpe .jpeg .jpg .js .kdb .kdbx .kdc .key .kf .ksd .layout .lbf .litemod .lrf .ltx .lvl .m2 .map .max .mcmeta .mdb .mdbackup .mddata .mdf .mef .menu .mlx .mpd .mpp .mpqge .mrwref .msg .myo .nba .nbf .ncf .nrw .nsf .ntl .nv2 .odb .odc .odm .odp .ods .odt .ofx .orf .p12 .p7b .p7c .pak .pdb .pdd .pdf .pef .pem .pfx .pgp .pkpass .ppj .pps .ppsx .ppt .pptm .pptx .prproj .psd .psk .pst .psw .ptx .py .qba .qbb .qbo .qbw .qdf .qfx .qic .qif .r3d .raf .rar .raw .rb .re4 .rgss3a .rim .rofl .rtf .rw2 .rwl .saj .sav .sb .sdc .sdf .sid .sidd .sidn .sie .sis .sko .slm .snx .sql .sr2 .srf .srw .sum .svg .sxc .syncdb .t12 .t13 .tar .tax .tbl .tib .tor .txt .upk .vcf .vcxproj .vdf .vfs0 .vpk .vpp_pc .vtf .w3x .wallet .wb2 .wdb .wotreplay .wpd .wps .x3f .xf .xlk .xls .xlsb .xlsm .xlsx .xxx .zip .ztmp

The virus also checks if the following strings are part of a file or folder, they are skipped if the check confirms:

Windows
Program Files
Program Files (x86)
ProgramData
AppData
Application Data
Temporary Internet Files
Temp
Games
nvidia
intel
$Recycle.Bin
Cookies

When the encryption process is complete the ransom note is loaded and shown to the user. It is located in the following folder:

%AppData%\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt

Its contents reads the following:

A T T E N T I O N !
YOUR PERSONAL FILES ARE ENCRYPTED!
PERSONAL ID: 0054B131

Your important files encryption produced on this computer: photos, videos, documents, etc. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

If you see this text but don’t see Decryptor Wizard window – please, disable any Firewalls and antivirus products, and download Decryptor Wizard on this URL:
http://dropmefiles.com/304718

You have 72 hours for payment.
After this time the private key will be destroyed.

For more info and support, please, contact us at this email address:
[email protected]

YafunnLocker Ransomware Distribution

The Yafunn Locker/CryptoLuck ransomware compromises victim machines by using the RIG-E (Empire) exploit kit through malicious ads. Several samples were identified in Adult web sites and other related places on the Internet.

A rather interesting feature of the virus is that it uses a legitimate signed program from Google knwon as GoogleUpdate.exe. The ransomware is hijacked into the DLL of the dropper.

The Yafunn Locker/CryptoLuck ransomware is hidden in the RAR self extracting archive in the program which includes – crp,cfg, GoogleUpdate.exe and the goopdata.dll files. The SFX is programmed in such that upon extraction in the %AppData%\76ff location it will silently execute the main executable. The goopdate.dll is run as a dependency.

YafunnLocker Ransomware Removal

For a faster solution, you can run a scan with an advanced malware removal tool and delete YafunnLocker completely with a few mouse clicks.

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R

Windows-key-plus-R-button-launch-Run-Box-in-Windows-illustrated

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    show-hidden-files-win8-10

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely YafunnLocker Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of YafunnLocker requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete YafunnLocker ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover Encrypted Files

    1) Use present backups
    2) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar

    restore-your-personal-files-using-File-History-bestecuritysearch

      – Hit the “Restore” button

    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps

restore-files-using-system-restore-point

STEP VII: Preventive Security Measures

    1) Enable and properly configure your Firewall.
    2) Install and maintain reliable anti-malware software.
    3) Secure your web browser.
    4) Check regularly for available software updates and apply them.
    5) Disable macros in Office documents.
    6) Use strong passwords.
    7) Don’t open attachments or click on links unless you’re certain they’re safe.
    8) Backup regularly your data.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *