Security researchers at BlackBerry have identified a new Ransomware-as-a-Service (RaaS) family and backtracked it to its alleged beta stage release.
The strain, dubbed LokiLocker, encrypts victims’ files, renders compromised systems unusable, and demands a ransom to restore access. The malicious service also tries to shake off unwanted attention by incriminating Iranian threat actors.
LokiLockerwas first spotted in the wild in August 2021, targeting Windows PCs of English-speakers. This strain shouldn’t be confused with LokiBot (infostealer), Locky or LockBit ransomware. Although it shares similarities with the latter, including the ransom note filename and registry values, researchers believe it’s not “its direct descendant.”
The malware is written in .NET and obfuscated with NETGuard, a modified version of popular open-source .NET app protector ConfuserEx. Its developers also used KoiVM, a previously licensed commercial virtualization plugin that became open-source and is now popular with hacking tools.
“LokiLocker encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection,” according to BlackBerry’s security advisory. “It then asks the victim to email the attackers to obtain instructions on how to pay the ransom.”
So far, LokiLocker seems to have the same encryption capabilities as many other known ransomware strains. However, threat actors can also configure it to wipe all non-system files and overwrite the MBR, making the system unusable.
“LokiLocker also boasts an optional wiper functionality – if the victim doesn’t pay up in the timeframe specified by the attacker, all non-system files will be deleted and the MBR overwritten, wiping all the victim’s files and rendering the system unusable. With a single stroke, everyone loses,” according to the advisory.
Reportedly, LokiLocker could be programmed to exclude certain countries from encryption and wiping, but further research found only Iran on the list of exceptions. Furthermore, the exception rule hasn’t even been implemented, leading experts to believe that the references to Iranian threat actors might be a subterfuge to avoid unwanted attention.
Currently, no free tool to decrypt content ciphered by LokiLocker exists. To prevent ransomware attacks, users should:
- Keep offline, unplugged backup copies of data
- Make backup copies regularly
- Avoid downloading content from shady, untrusted websites
- Proceed with caution when opening email attachments, especially if they come from unknown, untrusted contacts
- Contact authorities to request assistance