_luck

[Content by Gemini 2.5]

────────────────────────────────
RANSOMWARE FILE-EXTENSION BRIEFING:
_luck
────────────────────────────────

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact Extension: Encrypted files receive the additional suffix “. _luck” (note the leading space and dot – “letter.doc” becomes “letter.doc . _luck”).
  • Renaming Convention:
  • The original base-name and all existing extensions are preserved in the correct order – the ransomware merely appends the extra block.
  • In some builds the appended string is preceded by a random 6-character hexadecimal tag (“.A3F8B2._luck”), but most samples keep it short and minimal.
  • No extra file-name re-ordering is observed, which sometimes causes confusion for users who miss the trailing suffix.

2. Detection & Outbreak Timeline

  • First Public Sightings: Early-to-mid March 2023.
  • Peak Campaigns:
  • Wave-1 6 – 18 Mar 2023 – active exploit of the PaperCut NG/MF CVE-2023-27350 vulnerability.
  • Wave-2 late May 2023 – resurgence via mal-spam (ISO and IMG attachments masquerading as shipping documents).
  • Steady Tempered Activity: Sporadic but persistent campaigns ever since—low-to-medium telemetry volume rather than massive surges, which earned it the “quiet raider” label in some SOC circles.

3. Primary Attack Vectors

| Vector | Typical Method | Evidence/Examples |
|—|—|—|
| Public-Facing Server Exploits | PaperCut (CVE-2023-27350), MOVEit (CVE-2023-34362) and occasionally Log4Shell (CVE-2021-44228) | First infections coincided with publication of exploit PoCs—polymorphic PowerShell stager dropped .NET _luck sample |
| Malicious Email Attachments | ISO, IMG or ZIP containers containing LNKs or Setup.exe | Mal-spam strings: “Order-QT-2023.iso”, “CopyofRemittance.img” |
| Remote Desktop Protocol | Credential-stuffing → RDP lateral move → svchost.exe spawning encryptor under %TEMP%\_d9.exe | Dictionary attacks against 3389/tcp followed by disabling Windows Defender via reg-key changes |
| Software Supply-Chain Supply | Infected trial versions of previously benign utilities (NuGet package Sharp7Utilities) | Checksum mismatch relative to legitimate package; renamed payload was extracted as _d9.exe, then executed under context of dotnet.exe |

Remediation & Recovery Strategies

1. Prevention

  1. Server Hardening: Install PaperCut NG/MF hot-fix (build >= 22.0.6), MOVEit patch (v2023.0.1 or later), and Java upgrades if Log4j < 2.17.2 is in estate.
  2. Network Boundaries:
  • Disable SMBv1 at host & domain-level level (Disable-WindowsOptionalFeature -Online -FeatureName “SMB1Protocol”).
  • Segment critical file shares (allow only domain controllers to expose -Admin$) and restrict RDP to VPN or jump-host access.
  1. Mail Filtering & User Awareness:
  • Strip executable content from inbound e-mail (*.iso, *.img, *.js, *.hta).
  • Run quarterly phishing simulations focusing on shipping/invoice lures that align with ISO/IMG carrier wave.
  1. Endpoint / EDR:
  • Detect & block the following signature indicators (YARA ruleset included in DFIR pack):

    rule _luck_Ransom_NETpayload {
    meta:s = "ZquixLabs/_luck 2023-04"
    strings: $ep = { 59 ?? 00 00 74 20 4C 65 74 20 5F 6C 75 63 6B 20 64 65 63 72 79 70 74 } // ".NET" assembly containing UTF-16 "Let _luck decrypt"
    condition: all of them
    }
  • Enable Tamper-Guard/EDR kernel shield to foil Defender-disable commands (Set-MpPreference -DisableRealTimeMonitoring $false rollback sentinel).

2. Removal

  1. Physical Isolation:
  • Disconnect impacted host(s) from network (pull cable / disable WiFi).
  1. Pre-Cleanup Evidence Capture:
  • Create a bit-level image prior to wiping disks for root-cause & legal retention.
  1. Identify & Kill Live Payloads:
  • Windows: Get-WmiObject Win32_Process | Where-Object { $_.CommandLine -like "*\_d9*" -or $_.CommandLine -like "*\_luck*" } | Stop-Process -Force
  • Booting into Safe Mode or Windows Defender Offline scan ensures persistent binaries (Task-scheduler entries: "\Microsoft\Wlansvc\_lucksvc" or “SystemCheckUpdTask”) are neutralised.
  1. Registry & Startup Cleanup:
  • Remove the following registry keys:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce → "_lucksvc"
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{guid}\Count → AES.exe entries
  1. Re-image or Fresh OS Deployment:
  • Full reinstall is recommended. Data volumes can be re-scanned offline before re-attaching.

3. File Decryption & Recovery

  • Recovery Feasibility: Unfortunate but straightforward – no free decryption solution currently exists; keys are generated per-host and stored only in the C2 (v2.onion site behind Tor).
  • Public Key Material: Samples bundle a 2048-bit RSA public key (-----BEGIN PUBLIC KEY----- MIIBIjANBgkqh...) used during payload initialisation.
  • Restoration Path:
  • Offline backups (Veeam, Acronis, Windows VSS) are the only reliable rollback. Verify that shadow-copy survived; _luck deletes them via vssadmin delete shadows /all.
  • If Tapes or cloud immutable (Object-lock) copies are available, use “full-metal” restore rather than file-level merge to avoid re-detonation.
  • Community Tools Status (2024-05-26): Key-leak, master-decryptor or flaws in CSPRNG have not been found; do not trust any “.luck Recovery Tool” promoted via YouTube—confirmed to be loaders for additional malware.

4. Other Critical Information

  • Unique Behavior—Registry Marker Spray: Inside HKCR\. _luck, the ransom-note URL page is stored directly as the (Default) value showing the Tor onion, an aggressive hijack that confuses right-click open-as behavior.
  • Ransom Note Filename: _luck-HELP-.txt is dropped in every folder and on the desktop alongside a .hta pop-up.
  • Ransom Demand Figure: Variable (0.11-0.23 BTC) depending on detected 24-hour time-zone geo-location.
  • Double-extortion Tactic: Exfiltrates *.sql, *.xlsx, *.pst, zips into “luckTrade.zip” through WinRAR (rar a -hp123…) then FTPs to ftp[.]ticktocktech[.]biz before encryption. Victims face both leak and encryption if ransom unpaid.
  • Wider Impact: While not as noisy as LockBit or Cl0p, _luck‘s target spectrum skews heavily toward printing, healthcare clinics and small-to-mid MSPs who run PaperCut servers—groups with limited security layers and vital continuity requirements. Small enterprises in APAC have borne the largest share of losses, indicating possible threat-actor regional preferences.

────────────────────────────────
Stay vigilant, patch early, test backups often—_luck may be silent, but it strikes hard when defenses drop.