A recently identified Ransomware-as-a-Service (Raas) family includes both file encryption and data wiping functionality, rendering infected computers unusable if the victim does not pay the ransom in time.
Dubbed LokiLocker and active since at least August 2021, the malware is written in .NET, employs an implementation of the KoiVM virtualization plugin, and uses AES to encrypt all files located on local drives and network shares.
To hide its malicious activity and prevent interference, the threat displays a fake Windows Update screen, kills a series of processes and stops specific services, and disables Task Manager and Windows Error Reporting, along with the machine’s firewall and Windows Defender.
Furthermore, to prevent data recovery, it deletes backup files and shadow copies and removes system restore points. It also changes the user login note and modifies original equipment manufacturer (OEM) info in the registry.
LokiLocker changes the names of encrypted folders, and drops ransom notes instructing the victim to contact the attackers via email. The ransom note also warns victims of potential data deletion if no payment is made within a specified timeframe.
[ READ: SecurityWeek Cyber Insights 2022: Ransomware ]
The malware was designed with optional data wiping functionality that erases all non-system files and also overwrites the MBR, thus rendering the computer unusable.
LokiLocker is being offered to carefully vetted affiliates only, with around 30 different operators identified to date, security researchers with BlackBerry note in a technical report.
During an initial testing phase, the malware was distributed through trojanized brute-checker hacking tools, which are used to validate stolen login information and access other accounts through credential stuffing.
To date, the malware has made victims worldwide, with a focus on Eastern Europe and Asia. However, BlackBerry’s researchers could not identify the ransomware’s origin, especially since its embedded debugging strings are in English and the code does not contain spelling errors.
However, BlackBerry has found evidence pointing to possible Iranian developers. The company discovered that some LokiLocker affiliates are from Iran, and noticed that Iran is the only country in the malware’s exclusion list, but notes that all these may be false flags.
Related: Ransomware Gang Threatens to Leak Files Stolen From Tire Giant Bridgestone
Related: Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen
Related: Backup Plays Key Role in Ransomware Response, But Not a Complete Solution

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
