A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.
Dubbed LokiLocker and active since at least August 2021, the malware is written in .NET, employs an implementation of the KoiVM virtualization plugin, and uses AES to encrypt all files located on local drives and network shares.
To hide its malicious activity and prevent interference, the threat displays a fake Windows Update screen, kills a series of processes and stops specific services, and disables Task Manager and Windows Error Reporting, along with the machine’s firewall and Windows Defender.
Furthermore, to prevent data recovery, it deletes backup files and shadow copies and removes system restore points. It also changes the user login note and modifies original equipment manufacturer (OEM) info in the registry.
LokiLocker changes the names of encrypted folders, and drops ransom notes instructing the victim to contact the attackers via email. The ransom note also warns victims of potential data deletion if no payment is made within a specified timeframe.
The malware was designed with optional data wiping functionality that erases all non-system files and also overwrites the MBR, thus rendering the computer unusable.
LokiLocker is being offered to carefully vetted affiliates only, with around 30 different operators identified to date, security researchers with BlackBerry note in a technical report.
During an initial testing phase, the malware was distributed through trojanized brute-checker hacking tools, which are used to validate stolen login information and access other accounts through credential stuffing.
To date, the malware has made victims worldwide, with a focus on Eastern Europe and Asia. However, BlackBerry’s researchers could not identify the ransomware’s origin, especially since its embedded debugging strings are in English and the code does not contain spelling errors.
However, BlackBerry has found evidence pointing to possible Iranian developers. The company discovered that some LokiLocker affiliates are from Iran, and noticed that Iran is the only country in the malware’s exclusion list, but notes that all these may be false flags.