[Heads Up] New Evil Ransomware Feature: Disk Wiper if You Don't Pay



LokiLocker Disk Wiper RansomwareThere is a new ransomware-as-a-service (RaaS) strain called LokiLocker, researchers at Blackberry warn. The malware uses rare code obfuscation and includes a file wiper component that attackers can deploy if their victims don't pay. "It shouldn’t be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer. 

"LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021," researchers from BlackBerry's Research & Intelligence Team said in a new reportThe BlackBerry researchers estimate that LokiLocker currently has around 30 affiliates.

LokiLocker’s technical capabilities

When first executed on a computer, LokiLocker copies itself as %ProgramData%/winlogon.exe and then sets up persistence by using a scheduled task and a start-up registry entries. The malware has a config file that affiliates can customise and which can be used to instruct the malware to:

  • Display a fake Windows Update screen
  • Kill specific processes and stop specific system services
  • Disable the Windows Task Manager
  • Delete system back-ups and Shadow Volume copies
  • Disable the Windows Error Recovery and Windows Firewall
  • Remove system restore points
  • Empty the Recycle Bin
    Disable Windows Defender
  • Change the message displayed on the user's login screen

"At the time of writing this, there is no free tool to decrypt files encrypted by LokiLocker," the BlackBerry researchers said. "If you are already infected with LokiLocker ransomware, the recommendation by most official security authorities such as the FBI is to not pay the ransom."

There are options to only encrypt the C drive, or to skip the C drive. The malware also has network scanning functionality, which can be used to detect and encrypt network shares, but using this functionality is also configurable.

Finally, LokiLocker contains a wiper module that will attempt to delete files from all local drives and then overwrite the hard drive's Master Boot Record (MBR), which will leave the system unable to boot into the operating system. 

Instead, the user will see a message reading: "You did not pay us, so we deleted all your files." The wiper functionality will automatically trigger based on a timer that's set to 30 days but is configurable.

It's not clear who are the authors of LokiLocker, but the BlackBerry researchers noted that the debugging strings found in the malware are written in English without any major spelling mistakes that are sometimes common with Russian or Chinese malware developers. Instead, there are some potential links to Iran, but these could be planted to throw off malware researchers.


RanSim

Free downloadable software tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

RanSim gives you a quick look at the effectiveness of your existing network protection. RanSim will test 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the installer and run it
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/ransim

Topics: Ransomware



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews