A relatively new type of ransomware that tries to delete files and render the system unusable, is called LokiLocker. It uses the standard extortion-through-encryption racket but also incorporates disk-wiper functionality.
Last year double extortion by ransomware gangs boomed. In other words, they threatened victims twice by stealing files before encrypting them. That way they can threaten to leak sensitive data if they don’t pay.
But LokiLock that was first seen in August 2021, now features an “optional wiper functionality” to put pressure on victims in a slightly different way, BlackBerry Threat Intelligence warns.
In other words, to apply extra pressure to the victim to pay, the ransomware gang threaten to overwrite a victim’s Windows Master Boot Record (MBR) rather than threaten to leak the victims’ files. And that means that the machine is unusable it wipes all the files. But of course, then the ransomware gang pull the pin on all payment negotiations.
As a result, fears regarding this disk wiper functionality have heightened since attacks against the Ukraine organisations by way of destructive malware attacks. As a result, the US government feel the same thing could potentially happen to them and the Western nations “payback” for their sanctions against Russia.
In addition, fears are increased due to state-sponsors hackers preferring disk wiper malware historically. For instance, all these groups NotPetya, WhisperGate and HermeticWiper, were directly or loosely connected to Russian state-sponsored actors. In other words, ransomware becomes a decoy for the group’s true intentions.
BlackBerry notes, “with a single stroke, everyone loses”
Iranian hacking groups that are employing both encryption and destructive malware and presumed state-backed or affiliated are currently being tracked by Microsoft.
Blackberry says that LokiLocker was developed & designed by Iranian hacker for English-speaking victims. In other words, more likely Iranian rather than Russia. And they have evidence that point to this:
- there are very few English spelling errors in the malware’s debugging strings
- LokiLocker affiliates are chatting on Iranian hacking forums
- Iran is the only location currently blacklisted for activating encryption
- Some credential-cracking tools distributed in early samples of LokiLocker “seem to be developed by an Iranian cracking team called AccountCrack”
However, they are still not able to determine where the RaaS LokiLocker started. Certainly, the majority of malware originating in Russia and China is full of English language mistakes and misspellings but this one has proper English. So again, unlikely to come from Russia. But it could mean that the real threat actors want to make it look like Iranian attackers. Still not clear who’s to blame.
However it is common for Russia-based ransomware gangs to configure a machine’s language settings by blacklisting specific language codes within and not activate malware on machines within Commonwealth of Independent States nations.
LokiLocker appears to be in beta notes Blackberry. The Iran blacklist functionality hasn’t been implemented.
Above all, if a ransom isn’t paid within the specified timeframe the disk-wiper functionality will attempt to destroy a system, warns BlackBerry.
Firstly, it deletes all the victim’s files, except for system files,
Secondly, it tries to overwrite the MBR
Lastly, after forcing a Blue Screen of Death error message, it reboots the wiped machine and displays the message:
Prior to the payment deadline, the malware changes the victim’s login screen and desktop wallpaper to the ransom message, and drops a web file that displays the ransom note on the victim’s desktop detailing the time left “to lose all of your files”
According to BlackBerry LokiLocker is written in .NET and protected with NETGuard (modified ConfuserEX), using an additional virtualization plugin called KoiVM.
It’s an unusual method of complicating analysis is “LokiLocker’s use of KoiVM as a virtualizing protector for .NET applications. The company notes, we haven’t seen a lot of other threat actors using it yet, so this may be the start of a new trend.”
Let’s hope not.
