BlackBerry specialists have identified extortionate software attacking English-speaking users and capable of erasing non-system files from infected Windows PCs.
Allegedly developed by Iranian hackers, the LokiLocker ransomware was first discovered in mid-August 2021. According to the researchers, it should not be confused with the old Loky ransomware or the LokiBot infostiler. The malware has similar features to the LockBit extortionate software (registry values, the name of the file with the ransom demand), but it does not look like it was its direct “heir”.
LokiLocker is distributed under the ransomware-as-a-service (RaaS) business model in a very narrow circle of carefully selected partners. The malware attacks users all over the world, but most of the victims are in Eastern Europe and Asia.
Researchers are still trying to determine the origin of the LokiLocker. The built-in debug line is written in English with almost no errors typical of programs written by Russian or Chinese hackers. Some of the earliest partners of LokiLocker have usernames registered exclusively on Iranian hacker channels. In addition, it contains a list of countries in which users cannot be attacked, and one of them is Iran.
The malware is written on .NET and is protected using the commercial NetGuard tool.
Early versions of LokiLocker were distributed through hacked hacking tools for bruteforce, including PayPal BruteCheck, Spotify BruteChecker, PiaVNP Brute Checker from ACTEAM and FPSN Checker from Angeal. The malware probably spread through these tools when it was at the beta testing stage.
Like other ransomware programs, LokiLocker encrypts the attacked systems and gives the victim time to pay the ransom. If the ransom is not paid after the expiration of the allotted period, the malware can erase all data from hard drives, except for system files. In addition, it will try to overwrite the master boot record to disable the system.