New ransomware LokiLocker bundles destructive wiping component

LokiLocker also uses an unusual obfuscation technique to avoid detection.

A new ransomware operation dubbed LokiLocker has slowly been gaining traction since August among cyber criminals, researchers warn. The malicious program uses a relatively rare code obfuscation technique and includes a file wiper component that attackers could use against non-compliant victims.

"LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021," researchers from BlackBerry's Research & Intelligence Team said in a new report

"It shouldn’t be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer. It shares some similarities with the LockBit ransomware (registry values, ransom note filename), but it doesn't seem to be its direct descendant."

So far it appears that the LokiLocker ransomware-as-a-service (RaaS) offering has been shared with a small number of carefully vetted affiliates -- individuals or groups of cyber criminals that do the actual ransomware deployment for a cut of the ransom. The BlackBerry researchers estimate that LokiLocker currently has around 30 affiliates.

LokiLocker’s technical capabilities

LokiLocker is written in the .NET programming language, but its code is obfuscated with a modified version of ConfuserEX in combination with KoiVM. These are two open-source code protectors for .NET applications. 

The goal of programs like ConfuserEX and KoiVM are to make reverse engineering harder with the goal of protecting the proprietary source code of commercial applications, but malware authors sometimes use such programs to evade being detected by security programs and researchers.

"LokiLocker’s use of KoiVM as a virtualising protector for .NET applications is an unusual method of complicating analysis," the researchers said. "We haven’t seen a lot of other threat actors using it yet, so this may be the start of a new trend."

When first executed on a computer, LokiLocker copies itself as %ProgramData%/winlogon.exe and then sets up persistence by using a scheduled task and a start-up registry entries. The malware has a config file that affiliates can customise and which can be used to instruct the malware to:

  • Display a fake Windows Update screen
  • Kill specific processes and stop specific system services
  • Disable the Windows Task Manager
  • Delete system back-ups and Shadow Volume copies
  • Disable the Windows Error Recovery and Windows Firewall
  • Remove system restore points
  • Empty the Recycle Bin
    Disable Windows Defender
  • Change the message displayed on the user's login screen

The malicious program then collects information about the infected system and sends it to a hard-coded command-and-control server URL. The server will send back a public RSA key that will be used to encrypt the public-private key pair generated by the ransomware for each individual victim. 

The victim's public RSA key is then used to encrypt the randomly generated AES file-encryption key. If communication with the server is not possible, the ransomware binary contains five hard-coded public RSA keys that can be used. Only the attackers have the RSA private key that will decrypt the victim's RSA private key that will decrypt the AES key needed for file decryption.

"At the time of writing this, there is no free tool to decrypt files encrypted by LokiLocker," the BlackBerry researchers said. "If you are already infected with LokiLocker ransomware, the recommendation by most official security authorities such as the FBI is to not pay the ransom."

LokiLocker will start encrypting files in the following directories: Favorites, Recent, Desktop, Personal, MyPictures, MyVideos and MyMusic. It will then proceed to encrypt files on all local drives, but this depends on the affiliate's configuration. 

There are options to only encrypt the C drive, or to skip the C drive. The malware also has network scanning functionality, which can be used to detect and encrypt network shares, but using this functionality is also configurable.

Finally, LokiLocker contains a wiper module that will attempt to delete files from all local drives and then overwrite the hard drive's Master Boot Record (MBR), which will leave the system unable to boot into the operating system. 

Instead, the user will see a message reading: "You did not pay us, so we deleted all your files." The wiper functionality will automatically trigger based on a timer that's set to 30 days but is configurable.

There have been incidents over the years involving file wiping malware, including recently in Ukraine. While some of these malicious programs have masqueraded as ransomware as a distraction, it's not common to have actual ransomware bundled with such functionality. 

The usefulness of using this revenge mechanism based on a timer is debatable since the victim will be aware they were hit by ransomware and the first step in a ransomware incident response is to neutralise the threat and then decide whether to negotiate for file decryption.

LokiLocker origins

It's not clear who are the authors of LokiLocker, but the BlackBerry researchers noted that the debugging strings found in the malware are written in English without any major spelling mistakes that are sometimes common with Russian or Chinese malware developers. Instead, there are some potential links to Iran, but these could be planted to throw off malware researchers.

The malware contains the string "Iran" in a routine that is potentially intended to define countries that should be excluded from file encryption, which is a common approach for some ransomware creators. However, this functionality doesn't seem to be implemented yet.

Some of the earliest samples of LokiLocker were distributed as Trojanized version of brute-force credential checking tools such as PayPal BruteChecker, Spotify BruteChecker, PiaVPN Brute Checker and FPSN Checker. 

Some of these tools -- not their Trojanized versions -- are created by an Iranian cracking team called AccountCrack. Furthermore, at least three LokiLocker affiliates have usernames that can also be found on Iranian hacking forums.

"It’s not entirely clear whether this means they truly originate from Iran or that the real threat actors are trying to cast the blame on Iranian attackers," the BlackBerry researchers said. "With tricksters and threat actors, it can be difficult to tell the difference between a meaningful clue and a false flag -- and one can never be sure on how far down the rabbit hole the deception goes."