CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘LokiLocker’ Ransomware Packs Data Wiping Capabilities

A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.

A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.

Dubbed LokiLocker and active since at least August 2021, the malware is written in .NET, employs an implementation of the KoiVM virtualization plugin, and uses AES to encrypt all files located on local drives and network shares.

To hide its malicious activity and prevent interference, the threat displays a fake Windows Update screen, kills a series of processes and stops specific services, and disables Task Manager and Windows Error Reporting, along with the machine’s firewall and Windows Defender.

Furthermore, to prevent data recovery, it deletes backup files and shadow copies and removes system restore points. It also changes the user login note and modifies original equipment manufacturer (OEM) info in the registry.

LokiLocker changes the names of encrypted folders, and drops ransom notes instructing the victim to contact the attackers via email. The ransom note also warns victims of potential data deletion if no payment is made within a specified timeframe.

[ READ: SecurityWeek Cyber Insights 2022: Ransomware ]

The malware was designed with optional data wiping functionality that erases all non-system files and also overwrites the MBR, thus rendering the computer unusable.

LokiLocker is being offered to carefully vetted affiliates only, with around 30 different operators identified to date, security researchers with BlackBerry note in a technical report.

Advertisement. Scroll to continue reading.

During an initial testing phase, the malware was distributed through trojanized brute-checker hacking tools, which are used to validate stolen login information and access other accounts through credential stuffing.

To date, the malware has made victims worldwide, with a focus on Eastern Europe and Asia. However, BlackBerry’s researchers could not identify the ransomware’s origin, especially since its embedded debugging strings are in English and the code does not contain spelling errors.

However, BlackBerry has found evidence pointing to possible Iranian developers. The company discovered that some LokiLocker affiliates are from Iran, and noticed that Iran is the only country in the malware’s exclusion list, but notes that all these may be false flags.

Related: Ransomware Gang Threatens to Leak Files Stolen From Tire Giant Bridgestone

Related: Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen

Related: Backup Plays Key Role in Ransomware Response, But Not a Complete Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.