Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘LokiLocker’ Ransomware Packs Data Wiping Capabilities

A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.

A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.

Dubbed LokiLocker and active since at least August 2021, the malware is written in .NET, employs an implementation of the KoiVM virtualization plugin, and uses AES to encrypt all files located on local drives and network shares.

To hide its malicious activity and prevent interference, the threat displays a fake Windows Update screen, kills a series of processes and stops specific services, and disables Task Manager and Windows Error Reporting, along with the machine’s firewall and Windows Defender.

Furthermore, to prevent data recovery, it deletes backup files and shadow copies and removes system restore points. It also changes the user login note and modifies original equipment manufacturer (OEM) info in the registry.

LokiLocker changes the names of encrypted folders, and drops ransom notes instructing the victim to contact the attackers via email. The ransom note also warns victims of potential data deletion if no payment is made within a specified timeframe.

[ READ: SecurityWeek Cyber Insights 2022: Ransomware ]

The malware was designed with optional data wiping functionality that erases all non-system files and also overwrites the MBR, thus rendering the computer unusable.

LokiLocker is being offered to carefully vetted affiliates only, with around 30 different operators identified to date, security researchers with BlackBerry note in a technical report.

During an initial testing phase, the malware was distributed through trojanized brute-checker hacking tools, which are used to validate stolen login information and access other accounts through credential stuffing.

To date, the malware has made victims worldwide, with a focus on Eastern Europe and Asia. However, BlackBerry’s researchers could not identify the ransomware’s origin, especially since its embedded debugging strings are in English and the code does not contain spelling errors.

However, BlackBerry has found evidence pointing to possible Iranian developers. The company discovered that some LokiLocker affiliates are from Iran, and noticed that Iran is the only country in the malware’s exclusion list, but notes that all these may be false flags.

Related: Ransomware Gang Threatens to Leak Files Stolen From Tire Giant Bridgestone

Related: Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen

Related: Backup Plays Key Role in Ransomware Response, But Not a Complete Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.