Since August, a new ransomware named LokiLocker has been gaining traction in the cybercriminal community. By utilising a rare code obfuscation technique, cybercriminals are able to wipe files from servers remotely, allowing them to subsequently threaten and extort compliant victims.
The usage of ransomware has been on the rise since the COVID-19 pandemic, only being exceeded by its other malicious cousin, malware. The NHS, the police, and many other large organisations have been targeted by ransomware over the last several years, with LokiLocker the latest in the line of variants threatening to do the same against many more businesses.
It’s important to consider ransomware carefully when building and honing your cyber security strategy and technologies. To help, we’ve put together a concise report on LokiLocker’s technical capabilities and behaviours as well as some history on its origin. Whilst LokiLocker is still a relatively small ransomware compared to some of the historically effective variants, it’s vital you prepare your cyber security appropriately.
Technical Capabilities
Written in .NET, LokiLocker has an ingenious way of avoiding detection by security programs and researchers. Utilising several open-source code protectors within .NET, the ransomware is able to protect and obfuscate its source code, leading to many off-the-shelf products having difficulties detecting it within a network.
Usually sent via a phishing email, which is the most popular form of ransomware dissemination, LokiLocker disguises itself as a harmless file attachment. Upon being executed, it copies itself as %ProgramData%/winlogon.exe. It then sets itself up by creating a scheduled task and associated start-up registry entries, providing virus persistence.
LokiLocker can take many different configurations when executed, depending on the attacker’s intent. It can range from a fake Windows update screen to executing different hidden instructions in the background, such as deleting system backups, removing system restore points, and more.
Following this initial execution, it begins collecting and sending information about the infected system to the attacker. This allows for file encryption to begin, beginning the ransom process by setting up a unique RSA key that only the attacker knows. This key is required for file decryption once the victim pays their ransom.
LokiLocker follows a specific encryption path, beginning with key directories such as Favorites, Recent, Desktop, Personal, My Documents, etc. It then encrypts files on all local drives within the system and eventually any network shares present. It’s worth mentioning that all of this won’t necessarily happen with every LokiLocker infection as the ransomware will often be configured differently depending on the target.
LokiLocker Origins
The origins of LokiLocker are shrouded in mystery. The creators have done this by design to reduce the likelihood of being prosecuted for virus creation and dissemination.
Blackberry researchers believe it was written by native English speakers due to the syntax and grammar present and also reported that other functionality does seem to be present but hasn’t been implemented yet, hinting at an even worse variant of LokiLocker appearing in the future.
Are you concerned about your organisation’s ability to combat ransomware threats? Get in touch with us today. At Wizard Cyber, we specialise in protecting businesses against all forms of cyber threats, including training staff on how to deal with email phishing and other common forms of ransomware delivery.
