Connect with us

Hi, what are you looking for?



‘LokiLocker’ Ransomware Packs Data Wiping Capabilities

A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.

A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.

Dubbed LokiLocker and active since at least August 2021, the malware is written in .NET, employs an implementation of the KoiVM virtualization plugin, and uses AES to encrypt all files located on local drives and network shares.

To hide its malicious activity and prevent interference, the threat displays a fake Windows Update screen, kills a series of processes and stops specific services, and disables Task Manager and Windows Error Reporting, along with the machine’s firewall and Windows Defender.

Furthermore, to prevent data recovery, it deletes backup files and shadow copies and removes system restore points. It also changes the user login note and modifies original equipment manufacturer (OEM) info in the registry.

LokiLocker changes the names of encrypted folders, and drops ransom notes instructing the victim to contact the attackers via email. The ransom note also warns victims of potential data deletion if no payment is made within a specified timeframe.

[ READ: SecurityWeek Cyber Insights 2022: Ransomware ]

The malware was designed with optional data wiping functionality that erases all non-system files and also overwrites the MBR, thus rendering the computer unusable.

Advertisement. Scroll to continue reading.

LokiLocker is being offered to carefully vetted affiliates only, with around 30 different operators identified to date, security researchers with BlackBerry note in a technical report.

During an initial testing phase, the malware was distributed through trojanized brute-checker hacking tools, which are used to validate stolen login information and access other accounts through credential stuffing.

To date, the malware has made victims worldwide, with a focus on Eastern Europe and Asia. However, BlackBerry’s researchers could not identify the ransomware’s origin, especially since its embedded debugging strings are in English and the code does not contain spelling errors.

However, BlackBerry has found evidence pointing to possible Iranian developers. The company discovered that some LokiLocker affiliates are from Iran, and noticed that Iran is the only country in the malware’s exclusion list, but notes that all these may be false flags.

Related: Ransomware Gang Threatens to Leak Files Stolen From Tire Giant Bridgestone

Related: Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen

Related: Backup Plays Key Role in Ransomware Response, But Not a Complete Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...