LokiLocker also uses an unusual obfuscation technique to avoid detection. Credit: Kaptnali / Getty Images A new ransomware operation dubbed LokiLocker has slowly been gaining traction since August among cybercriminals, researchers warn. The malicious program uses a relatively rare code obfuscation technique and includes a file wiper component that attackers could use against non-compliant victims.“LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021,” researchers from BlackBerry’s Research & Intelligence Team said in a new report. “It shouldn’t be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer. It shares some similarities with the LockBit ransomware (registry values, ransom note filename), but it doesn’t seem to be its direct descendant.”So far it appears that the LokiLocker ransomware-as-a-service (RaaS) offering has been shared with a small number of carefully vetted affiliates — individuals or groups of cybercriminals that do the actual ransomware deployment for a cut of the ransom. The BlackBerry researchers estimate that LokiLocker currently has around 30 affiliates.LokiLocker’s technical capabilitiesLokiLocker is written in the .NET programming language, but its code is obfuscated with a modified version of ConfuserEX in combination with KoiVM. These are two open-source code protectors for .NET applications. The goal of programs like ConfuserEX and KoiVM are to make reverse engineering harder with the goal of protecting the proprietary source code of commercial applications, but malware authors sometimes use such programs to evade being detected by security programs and researchers. “LokiLocker’s use of KoiVM as a virtualizing protector for .NET applications is an unusual method of complicating analysis,” the researchers said. “We haven’t seen a lot of other threat actors using it yet, so this may be the start of a new trend.”When first executed on a computer, LokiLocker copies itself as %ProgramData%/winlogon.exe and then sets up persistence by using a scheduled task and a start-up registry entries. The malware has a config file that affiliates can customize and which can be used to instruct the malware to: Display a fake Windows Update screenKill specific processes and stop specific system servicesDisable the Windows Task ManagerDelete system backups and Shadow Volume copiesDisable the Windows Error Recovery and Windows FirewallRemove system restore pointsEmpty the Recycle Bin Disable Windows DefenderChange the message displayed on the user’s login screenThe malicious program then collects information about the infected system and sends it to a hard-coded command-and-control server URL. The server will send back a public RSA key that will be used to encrypt the public-private key pair generated by the ransomware for each individual victim. The victim’s public RSA key is then used to encrypt the randomly generated AES file-encryption key. If communication with the server is not possible, the ransomware binary contains five hard-coded public RSA keys that can be used. Only the attackers have the RSA private key that will decrypt the victim’s RSA private key that will decrypt the AES key needed for file decryption.“At the time of writing this, there is no free tool to decrypt files encrypted by LokiLocker,” the BlackBerry researchers said. “If you are already infected with LokiLocker ransomware, the recommendation by most official security authorities such as the FBI is to not pay the ransom.”LokiLocker will start encrypting files in the following directories: Favorites, Recent, Desktop, Personal, MyPictures, MyVideos and MyMusic. It will then proceed to encrypt files on all local drives, but this depends on the affiliate’s configuration. There are options to only encrypt the C drive, or to skip the C drive. The malware also has network scanning functionality, which can be used to detect and encrypt network shares, but using this functionality is also configurable.Finally, LokiLocker contains a wiper module that will attempt to delete files from all local drives and then overwrite the hard drive’s Master Boot Record (MBR), which will leave the system unable to boot into the operating system. Instead, the user will see a message reading: “You did not pay us, so we deleted all your files.” The wiper functionality will automatically trigger based on a timer that’s set to 30 days but is configurable.There have been incidents over the years involving file wiping malware, including recently in Ukraine. While some of these malicious programs have masqueraded as ransomware as a distraction, it’s not common to have actual ransomware bundled with such functionality. The usefulness of using this revenge mechanism based on a timer is debatable since the victim will be aware they were hit by ransomware and the first step in a ransomware incident response is to neutralize the threat and then decide whether to negotiate for file decryption.LokiLocker originsIt’s not clear who are the authors of LokiLocker, but the BlackBerry researchers noted that the debugging strings found in the malware are written in English without any major spelling mistakes that are sometimes common with Russian or Chinese malware developers. Instead, there are some potential links to Iran, but these could be planted to throw off malware researchers. The malware contains the string “Iran” in a routine that is potentially intended to define countries that should be excluded from file encryption, which is a common approach for some ransomware creators. However, this functionality doesn’t seem to be implemented yet. Some of the earliest samples of LokiLocker were distributed as Trojanized version of brute-force credential checking tools such as PayPal BruteChecker, Spotify BruteChecker, PiaVPN Brute Checker and FPSN Checker. Some of these tools — not their Trojanized versions — are created by an Iranian cracking team called AccountCrack. Furthermore, at least three LokiLocker affiliates have usernames that can also be found on Iranian hacking forums.“It’s not entirely clear whether this means they truly originate from Iran or that the real threat actors are trying to cast the blame on Iranian attackers,” the BlackBerry researchers said. “With tricksters and threat actors, it can be difficult to tell the difference between a meaningful clue and a false flag — and one can never be sure on how far down the rabbit hole the deception goes.” Related content news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability Vulnerabilities Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe