Researchers at BlackBerry Threat Intelligence came across a relatively new ransomware strain that probably originated from Iran. Called LokiLocker after the Norse god of mischief, the ransomware is programmed to execute disk/data wiping on target computers to erase all non-system files and master boot records if a ransom isn’t paid.
The increasing use of disk-wiping malware amidst the Ukraine-Russia conflict has emboldened the LokiLocker ransomware gang to use similar malware as part of its ransomware operations. BlackBerry Threat Intelligence says the LokiLocker strain now goes beyond the double extortion method that became popular in the past two years.
LokiLocker threatens to erase all files on the target system, besides obviously encrypting them, if the victim doesn’t pay the ransom demand. “With a single stroke, everyone loses,†noted BlackBerry Threat Intelligence researchers.
This is made possible by an optional wiper functionality in the LokiLocker strain that deletes all non-system files, thus eliminating any possibility of any negotiation. However, the operators/affiliates of LokiLocker give victims some time to pay the ransom before using the wiper functionality.
LokiLocker leverages a standard combination of AES for file encryption and RSA for key protection to lock files on the target computer.
Written in .NET and protected with NETGuard using a virtualization plugin called KoiVM, LokiLocker even overwrites the master boot record (MBR). MBR is basically information that enables a system to locate and boot the operating system stored on a computer hard drive. Without the MBR, the computer is rendered useless.
The fact that LokiLocker deletes all non-system files and the MBR indicates the ransomware gang means business. But not exfiltrating data does take away their ability to publicly leak any sensitive company information. This may remove any additional leverage they may want to wield, but the LokiLocker gang probably does not care.
The image below represents how a successful attack would look like:
Changed User Login Screen of a LokiLocker Victim | Source: BlackBerry Threat IntelligenceOpens a new window
LokiLocker Desktop Wallpaper | Source: BlackBerry Threat Intelligence
See More: Aberdeen Analyst Lists Eight Security Strategies for Organizations to Follow in 2022
The perpetrators also drop an HTA file which bizarrely advises against paying the ransom before decrypting some test files. The group said they would decrypt three test files for free to prove their decryption guarantee.
LokiLocker HTA File | Source: BlackBerry Threat Intelligence
If the ransom isn’t paid in time, the following message comes up:
LokiLocker Message | Source: BlackBerry Threat Intelligence
LokiLocker has been active since mid-August 2021, making it newer than some of the others. It operates under a ransomware-as-a-service model. BlackBerry Threat Intelligence said that the strain is sold to selected, vetted affiliates. “Each affiliate is identified by a chosen username and is assigned a unique chat-ID number. There are currently about 30 different ‘VIP’ affiliates across the LokiLocker samples that BlackBerry researchers have found in the wild.â€
Perpetrators of ransomware attacks using the LokiLocker strain target predominantly English-speaking Windows PCs users. Origins of LokiLocker remain unknown but based on BlackBerry’s findings that embedded debugging strings are primarily in mistake-free grammar and correctly-spelled English words, it is unlikely that the strain originated from Russia and China.
BlackBerry said that “some of the cracking tools used to distribute the very first samples of LokiLocker seem to be developed by an Iranian cracking team called AccountCrack. Moreover, at least three of the known LokiLocker affiliates use unique usernames that can be found on Iranian hacking channels.â€
Additionally, malware analysis indicates that the LokiLocker strain excludes Iranian systems from being encrypted and victimized. This is why this ransomware strain appears to have originated in Iran. Either that or someone is trying to pin the blame on Iranian hackers.
“These details further muddy the waters. With tricksters and threat actors, it can be difficult to tell the difference between a meaningful clue and a false flag – and one can never be sure just how far down the rabbit hole the deception goes,†BlackBerry Threat Intelligence added.
Can the impact of LokiLocker be mitigated?
Mitigating a LokiLocker attack is the same as any ransomware strain: maintaining a solid security posture and performing data backups regularly. Since LokiLocker simply threatens to wipe target systems’ data without exfiltrating it and pressurizing the victim over leaking it, an offline backup unplugged from the web can reduce the impact.
Bill Conner, the president and CEO of SonicWall, says that to defend against ransomware operators who continue to mix-and-match malware ingredients deployed during the attack, organizations “need to protect their outward-facing attack surface, but equally importantly, establish internal barriers (segmentation) to prevent lateral exploitation on which attackers rely to establish persistence and larger network access once they establish foothold on a single system.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!