Wiping and obfuscation: LokiLocker ransomware is upping its game

Researchers warn of an evolution of ransomware dubbed LokiLocker, which since August has been increasingly used by cybercriminals. The malware uses a relatively rare code obfuscation technique and includes a file-wiping component that attackers could use against certain types of victims. “This relatively new ransomware family targets English-speaking victims and Windows PCs. The threat was first observed in the wild in mid-August 2021,” researchers from the BlackBerry Research and Intelligence Team said in a latest report. “LokiLocker should not be confused with an older ransomware family called Locky, which gained notoriety in 2016, or with the infostealer LokiBot which steals sensitive data. It shares some similarities with LockBit ransomware (registry values, ransom note file), but it does not appear to be its direct descendant.

So far, it appears that LokiLocker’s ransomware-as-a-service (RaaS) offering has been shared with a small number of carefully vetted affiliates – individuals or groups of cybercriminals who are responsible for deploying the ransomware for a percentage taken from the ransom. BlackBerry researchers estimate that LokiLocker currently has around 30 affiliates.

Advanced technical capabilities

LokiLocker is written in the .NET programming language, but its code is obfuscated by a modified version of ConfuserEX combined with KoiVM, two open-source code protection software for .NET applications. The goal of both programs is to make reverse engineering more difficult in order to protect the proprietary source code of commercial applications, but malware writers sometimes use these programs to avoid detection by security solutions and researchers. “LokiLocker’s use of KoiVM as a virtualization protector for .NET applications is highly unusual in complicating analysis,” the researchers said. “We have yet to see many other threat actors using this method which perhaps ushers in a new modality of attack.”

When first run on a computer, LokiLocker copies itself as %ProgramData%/winlogon.exe. Then it sets up persistence using a scheduled task and startup registry entries. The malware has a configuration file that affiliates can customize which can be used to instruct the malware to:

– Display a fake Windows update screen;
– Kill specific processes and stop specific system services;
– Disable Windows Task Manager;
– Delete System Backups and Shadow Volume Copies, a Windows feature that is used to create snapshots of disk volumes;
– Disable Windows Error Recovery and Windows Firewall;
– Delete system restore points;
– Empty the trash ;
– Disable Windows Defender;
– Change the message displayed on the user login screen.

A function to encrypt network shares

The malware then collects information about the infected system and sends it to a hard-coded command-and-control server URL, which returns a public RSA key that will be used to encrypt the public-private key pair generated by the ransomware for each victim. The victim’s public RSA key is then used to encrypt the randomly generated AES file encryption key. If communication with the server is impossible, the ransomware binary contains five hardcoded public RSA keys that can be used instead. Only the attackers have the RSA private key which will decrypt the victim’s RSA private key which in turn will decrypt the AES key needed to decrypt the file. “At the time of writing this report, there was no free tool to decrypt files encrypted by LokiLocker,” say BlackBerry researchers. “If you have already been infected with LokiLocker ransomware, the recommendation of most official security authorities, such as the FBI, is not to pay the ransom,” the researchers add.

LokiLocker will start encrypting files in the following directories: Favorites, Recent, Desktop, Personal, MyPhotos, MyVideos, and MyMusic. It will then encrypt files on all local drives, but this depends on the affiliate’s configuration. Some options allow you to encrypt only the C drive, or to ignore it. The malware also has a network scanning feature, which can be used to detect and encrypt network shares, but the use of this feature is also configurable. Finally, LokiLocker contains an erasing module that attempts to delete files from all local drives and then overwrites the Master Boot Record (MBR) of the hard drive, rendering the system unable to boot the operating system. Instead, the user will see a message saying, “You didn’t pay us, so we deleted all your files.” Wipe functionality triggers automatically based on a timer set to 30 days, but configurable.

In recent years, there have been several incidents involving file-erasing malware, including in Ukraine recently. While some of these malicious programs have masqueraded as ransomware as a diversion, it is not common for genuine ransomware to be integrated into this feature. The usefulness of this timer-based revenge mechanism is questionable, as the victim will know that they have been hit by ransomware and the first step in a response to a ransomware incident is to neutralize the threat and then decide whether or not to negotiate file decryption.

Blaming Iran?

The identity of the authors of LokiLocker is unclear, but BlackBerry researchers noticed that the debug strings found in the malware are written in English, without any major spelling mistakes, which is sometimes common among developers. of Russian or Chinese malware. On the other hand, there are some potential links with Iran, but it is not impossible that they were added to mislead the researchers. The malware contains the string “Iran” in a routine potentially intended to define countries that should be excluded from file encryption, which is a common approach for some ransomware creators. However, this functionality does not seem to be implemented yet.

Some early samples of LokiLocker were distributed as trojanized versions of brute-force identity verification tools like PayPal BruteChecker, Spotify BruteChecker, PiaVPN Brute Checker, and FPSN Checker. Some of these tools – not their trojanized versions – were created by a team of Iranian hackers called AccountCrack. Additionally, at least three LokiLocker affiliates have usernames that can also be found on Iranian hacking forums. “It’s unclear whether this means they’re really from Iran or whether the real threat actors are trying to blame the Iranian attackers,” the BlackBerry researchers said. “With tricksters and threat actors, it can be difficult to tell the difference between a meaningful clue and a false flag, and one can never be sure of the level of deception these actors have.”