LokiLocker RaaS Targets Home windows Methods


Replace 05.27.22: An unknown APT group is concentrating on Russian authorities entities with no less than 4 separate spear-phishing campaigns because the starting of the battle in Ukraine. Supply: Safety Affairs.

 

Overview

BlackBerry Menace Intelligence has recognized a brand new Ransomware-as-a-Service (Raas) household, and tracked its lineage to its possible beta stage launch. Like so many different strains of ransomware, LokiLocker encrypts your recordsdata and can render your machine unusable in case you do not pay up in time. Nonetheless, like its namesake god Loki, this menace appears to have a number of delicate methods up its sleeve – not least being a possible “false flag” tactic that factors the finger at Iranian menace actors.

In Norse mythology, Loki was the consummate trickster who had the flexibility to shapeshift at will. One of many many hot-headed hearth gods, Loki was an enemy to the opposite gods themselves, usually getting into their banquets uninvited and demanding their foods and drinks. LokiLocker is equally insistent on buying that to which it has no authentic declare.

LokiLocker is a comparatively new ransomware household concentrating on English-speaking victims and Home windows® PCs; the menace was first seen within the wild in mid-August 2021. It shouldn’t be confused with an older ransomware household known as Locky, which was infamous in 2016, or LokiBot, which is an infostealer. It shares some similarities with the LockBit ransomware (registry values, ransom be aware filename), but it surely would not appear to be its direct descendant.

Just like the god it’s named after, LokiLocker enters the sufferer’s life uninvited and begins searching for property to purloin. The menace then encrypts their recordsdata, and calls for they pay a financial ransom to revive entry. The malware is written in .NET and guarded with NETGuard (modified ConfuserEX) utilizing a further virtualization plugin known as KoiVM. KoiVM was once a licensed business protector for .NET purposes, however round 2018, its code was open-sourced (or probably leaked), and it’s now publicly out there on GitHub. Though Koi appears to be in style with hacking instruments and cracks, we haven’t seen a number of different malware utilizing it up to now.

Loki the Destroyer

LokiLocker encrypts sufferer’s recordsdata on native drives and community shares with a regular mixture of AES for file encryption and RSA for key safety. It then asks the sufferer to e-mail the attackers to acquire directions on easy methods to pay the ransom.

LokiLocker additionally boasts an non-obligatory wiper performance – if the sufferer doesn’t pay up within the timeframe specified by the attacker, all non-system recordsdata shall be deleted and the MBR overwritten, wiping all of the sufferer’s recordsdata and rendering the system unusable. With a single stroke, everybody loses.

LokiLocker works as a limited-access Ransomware-as-a-Service scheme that seems to be bought to a comparatively small variety of rigorously vetted associates behind closed doorways. Every affiliate is recognized by a selected username and is assigned a singular chat-ID quantity. There are at present about 30 completely different “VIP” associates throughout the LokiLocker samples that BlackBerry researchers have discovered within the wild.

One of many earliest samples of this ransomware was initially distributed inside Trojanized brute-checker hacking instruments comparable to:

  • PayPal BruteChecker
  • Spotify BruteChecker
  • PiaVPN Brute Checker By ACTEAM
  • FPSN Checker by Angeal (Cracked by MR_Liosion)

Brute-checkers are instruments used to automate validation of stolen accounts, and achieve entry to different accounts, through a way known as credential stuffing. It’s potential that the LokiLocker model distributed with these hacking instruments constituted some form of beta testing section earlier than the malware was provided to a wider vary of associates.

The victims we’ve noticed appear to be scattered all over the world (which isn’t surprising, on condition that completely different associates might need completely different concentrating on patterns), with the principle focus in Jap Europe and Asia.

Though we’ve been unable to reliably assess precisely the place the LokiLocker RaaS originates, it’s value mentioning that each one the embedded debugging strings are in English, and – in contrast to nearly all of malware originating from Russia and China – the language is essentially freed from errors and misspellings.

Additionally, maybe extra curiously, a few of the cracking instruments used to distribute the very first samples of LokiLocker appear to be developed by an Iranian cracking workforce known as AccountCrack. Furthermore, no less than three of the recognized LokiLocker associates use distinctive usernames that may be discovered on Iranian hacking channels. It’s not completely clear whether or not this implies they honestly originate from Iran or that the true menace actors try to forged the blame on Iranian attackers.

Diving into LokiLocker

To examine the C# code, we should first open the binary in DNSpy to decompile it. We are able to see the unique filename of “svchost.exe,” and a reference to NETGuard/KoiVM v0.2.0-custom, as seen in Determine 1.

Determine 1 – KoiVM obfuscator model

Once we examine the namespace, we’re instantly confronted with two labelled courses, “Koi” and “NETGuard,” in addition to quite a few courses with obfuscated operate names. These operate names are all prefixed with multiples of the letter “Z,” as seen in Determine 2. This holds true for the opposite namespaces as effectively.

Determine 2 – Koi, NETGuard and obfuscated class names

KoiVM, because the identify suggests, is a digital machine (VM) designed to work on ConfuserEx, a C# obfuscator. The virtualization works as a more difficult type of obfuscation. As described within the documentation for KoiVM, that is carried out by “turning the .NET opcodes into new ones that solely are understood by our machine.”

Usually, vanilla implementations of KoiVM could be devirtualized utilizing a device named OldRod, which was developed particularly to defeat KoiVM virtualization and make the decompiled code extra comprehensible to the human eye. Nonetheless, it’s trivial to switch KoiVM in order that OldRod can not discover particular signatures or required knowledge. And until you modify the device itself to deal with these modifications, it may end up in an unsuccessful try at devirtualization.

With the pattern analyzed by BlackBerry researchers, OldRod fails, as there isn’t any #Koi stream listed inside the COR20 MetaData Tables Header, which brings us again to sq. one.

It’s necessary to notice the presence of a number of namespaces of curiosity, significantly these starting with “Loki,” comparable to these pictured in Determine 3. If we examine the code contained inside the courses, we will see that there’s an issue (for now!): They’re both empty, or DNSpy threw an error when decompiling them.

Determine 3 – Loki features – Empty or unable to be decompiled

Loki.Pinvoke comprises the category ZZZZX (as seen in Determine 4), which itself comprises wrappers to numerous Home windows APIs. Calling one among these wrappers will import the DLL and the required operate. This has the additional advantage of eradicating any direct calls to the Home windows API. For instance, any name to the Kernel32.dll’s FindNextFile want solely name the C# operate ZZZZZf.

Determine 4 – WinAPI wrappers

Additionally of be aware is the “affiliate config,” which comprises a number of configuration choices that we’ll discover in larger element additional on.

Determine 5 – Loki config

Now that we’ve checked out some key options of the binary, it’s time to get our fingers soiled and dig deeper into this ransomware.

Unpacking

Whereas OldRod couldn’t devirtualize the binary for us, all will not be but misplaced. With a little bit of old school elbow grease and debugging magic, we will nonetheless work our manner via the binary the old school manner. We discovered that DNSpy fails to place a breakpoint on the entry level or course of creation, and that by navigating to the primary namespaces constructor (.cctor) we may breakpoint the preliminary name to the Koi() operate and step in, main us to Determine 6 under.

Determine 6 – KoiVM virtualized features

There are 324 calls to features inside the Koi() class. Nonetheless, many are repeated and are presumably organising the VM setting. Of the calls we’re fascinated with, solely three are necessary – the primary, penultimate, and final.

First Unpacking Perform

The primary operate fetches the module base deal with and proceeds to decode a piece of itself in-memory, via a sequence of convoluted XORs and variable assignments. As soon as that is carried out, VirtualProtect known as with PAGE_EXECUTE_READWRITE permissions.

A remaining loop then decodes extra knowledge into the identical location that had its permissions modified. The general function of this primary operate seems to be to decode some further decoding features for later use.

Second (Final) Unpacking Perform

Initially, a big byte array is outlined inside a world variable, as seen in Determine 7, the place every byte is XOR’d towards its place within the byte array. As soon as this operation has accomplished, the ensuing knowledge is decompressed utilizing GZIP.

Determine 7 – ByteArray definition, XOR decoding, GZip decompression

This knowledge is then used to populate the features that have been beforehand empty or unable to be decompiled, which we noticed initially inside the “Loki.*” courses proven in Determine 3.

This Isn’t Even My Closing Kind Perform!

Whereas the necessary features have now been decoded and resolved, there’s one remaining step to be taken earlier than execution is handed into Loki’s core. This operate destroys the executable, to evade scanning options via a number of distinct means.

Much like the primary operate, the deal with to the module in-memory is retrieved. From there, a number of operations happen, such because the overwriting of two strings into the Import Descriptor Desk for CoreExeMain and Mscoree.dll, with NtContinue and Ntdll.dll respectively. As soon as this has been accomplished, the file modifications the permissions of the PE Part Desk Header and the COR20 MetaData Desk Headers. It does this so it could possibly overwrite these headers with null bytes. Determine 8 under exhibits a snippet of this operate for reference.

Determine 8 – IDT manipulation & overwriting of headers

As soon as this operate completes, the binary then jumps to the start of the principle operate of the LokiLocker core, as proven in Determine 9, under.

Now that we’ve completed unpacking the pattern, let’s take a look at the core performance of LokiLocker.

Performance

Debug Logging

LokiLocker could be executed with a –log parameter, which is able to save an in depth, verbose log of the an infection in “<malware_execution_path>logs.txt.”

Determine 9 – Relabelled “predominant” operate with “–log” execution parameter

Whereas the core pattern continues to be obfuscated to a sure extent, the presence of those extremely descriptive debugging strings makes this laborious evaluation somewhat bit simpler.

Persistence

Upon execution, the malware copies itself to “%ProgramData%/winlogon.exe,” units its attributes to hidden and system, and creates a mutex known as “LokiLocker.”

It achieves persistence in a number of methods:

  • By making a scheduled process to execute the malware binary on every logon:


schtasks /CREATE /SC ONLOGON /TN Loki /TR %ProgramDatapercentwinlogon.exe /RU SYSTEM /RL HIGHEST /F

  • By including the next worth to the SoftwareMicrosoftCurrentVersionRun underneath each HKCU and HKLM keys:


“Michael Gillespie” = %ProgramDatapercentwinlogon.exe

  • By copying the malware executable to the Widespread Startup folder

Michael Gillespie, cited within the instance above, is the identify of a well known anti-ransomware researcher, who may be very energetic on Twitter and the Bleeping Computer systems discussion board. It’s not the primary time malware writers have given a “shout-out” to safety researchers like this, but it surely’s a uncommon occasion. One other related instance was Maze ransomware, which used the identify of one other well-known anti-ransomware researcher as its “killswitch” file identify.

Preparation

Earlier than the encryption course of begins, the malware performs the next actions:

  • Reads its configuration; default config choices are hard-coded within the binary’s Config class, however they are often supressed by values learn from the config file
  • If config file known as loki.txt file exists, it copies it to %ProgramDatapercentconfig.Loki and reads the config values from there
  • Shows a faux Home windows Replace display, if configured to take action
  • Kills specified processes
  • Stops specified providers
  • Disables Home windows Activity Supervisor, if configured to take action, and drops wvtymcow.bat file with the next contents to the Startup folder:


REG add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /fac

  • Deletes system backup and shadow copies
  • Disables Home windows Error Restoration
  • Disables built-in firewall
  • Removes system restore factors
  • Empties Recycle.bin
  • Disables Home windows Defender
  • Adjustments Consumer Login Word (as seen in Figures 10 and 11)

Determine 10 – Code to vary consumer login

 

Determine 11 – LokiLocker’s consumer login be aware

  • Adjustments authentic gear producer (OEM) information within the registry SOFTWAREMicrosoftWindowsCurrentVersionOEMInformation (as seen in Determine 12)

Determine 12 – Code that modifications OEM info

Community Communication

The malware sends a beacon containing the next info in a POST request to the index.php script hosted on the command-and-control (C2) server, as seen in Determine 13. The C2’s URL is hard-coded within the binary’s config and is about to loki-locker[.]one. The “consumer” and “chat-id” fields are hard-coded, whereas the opposite info is generated primarily based on the sufferer’s system properties:

  • unique-id=<volume_serial_number>
  • disk-size=<size_of_main_drive>
  • consumer=<hardcoded_affiliate_username>
  • cpu-name=<cpu>
  • ram-size=<physical_memory>
  • os-name=<name_of_operating_system>
  • chat-id=<hardcoded_number>

Determine 13 – A part of community communication code (POST to index.php)

The URL resolves to 91[.]223[.]82[.]6. The user-agent utilized in all communication is Loki/1.0.

As a response from C2, the malware expects an obfuscated public key within the type of a JSON object. The response buffer can have most measurement of 0x100000 (1048576 bytes).



{

    “public” : ”[ base64(xor(attackers_public_key, 0x0652)) ]”,

    “message_id” : [int]

}

The malware additionally communicates with the “tg.php” script on the identical server, as seen in Determine 15, which seems to be the API endpoint for standing updates from the bot. It’s primarily used to tell the C2 in regards to the development of the encryption course of. The next parameters could be handed to the script:

  • unique_id
  • motion
  • msg-id
  • chat-id
  • standing
  • elapsed-time

The ensuing request seems to be like this:

Determine 14 – LokiLocker’s POST request

 

Determine 15 – A part of community communication code (POST to tg.php)

Encryption

The malware creates an RSA-2048 key pair for the sufferer, encrypts it with the attacker’s public RSA key, after which saves it to the registry.

The malware creates the important thing HKCUSoftwareLoki and the next values:

  • Public – comprises the sufferer’s public RSA key within the XML format, which is then obfuscated with XOR 0x11.


<RSAKeyValue><Modulus>modulus</Modulus><Exponent>exponent</Exponent></RSAKeyValue>

  • Full – comprises the sufferer’s full key pair, encrypted with attacker’s public key. A base64-encoded copy can be saved to the file “cpriv.Loki” in every drive’s root listing and within the consumer’s particular directories.


<RSAKeyValue><Modulus>modulus</Modulus><Exponent>public_exponent</Exponent><P>prime_1</P><Q>prime_2</Q><DP>exponent_1</DP><DQ>exponent_2</DQ><InverseQ>coefficient</InverseQ><D>private_exponent</D></RSAKeyValue>

  • Timer – a date-time worth, which is the ransom expiration date within the format of yyyyy,MM,dd,HH,mm,ss, encoded with XOR 0x54. That is the precise time after which the malware will wipe the drives by deleting all non-system recordsdata and overwriting the MBR. The default date is 30 days after the preliminary malware execution date, however this may be modified through config file.

Comparable registry entries are utilized by variations of LockBit ransomware.

There are 5 completely different RSA public keys saved within the malware binary, although the attackers may provide one other public key through the C2. Because the C2 server is identical for all associates, this implies that the RaaS homeowners left themselves the choice to ship in their very own public key to safe the sufferer’s non-public key, that means they might have the ability to decrypt recordsdata from all their associates’ victims.

If configured to take action, the malware will scan the community for any out there community shares. It should then start the encryption course of, beginning with the next particular folders within the native consumer’s listing:

  • Favorites
  • Latest
  • Desktop
  • Private
  • MyPictures
  • MyVideos
  • MyMusic

LokiLocker then proceeds to create a separate thread for encrypting every of the native drives and/or community shares, relying on its configuration.

Every file is encrypted with AES-256 in GCM mode, utilizing a randomly generated key; the hot button is then encrypted utilizing the sufferer’s public RSA key.

The encryption thread additionally performs the next actions:

  • Adjustments labels of all encrypted volumes to “Locked by Loki”
  • Drops ransom notes to every encrypted folder
  • Drops an HTA file known as “information.Loki”
  • Drops and executes a launcher for the HTA file utilizing a random identify within the %ProgramData% listing
  • Adjustments the desktop wallpaper as proven in Determine 16
  • Creates a thread that can immediately kill cmd.exe, taskmgr.exe and regedit.exe processes, if launched
  • If configured to take action, shuts down the system after encryption

Determine 16 – LokiLocker desktop wallpaper

Wiper Performance

If configured to take action, the malware will try and wipe the system if the ransom isn’t paid inside the specified time-frame. As proven in Determine 18, it can delete recordsdata on all the sufferer’s drives, apart from the system recordsdata, and it’ll additionally attempt to overwrite the Grasp Boot Document (MBR) of the system drive to render the system unusable. It should then show the next message from the attackers after a reboot:

Determine 17 – LokiLocker’s message proven after rebooting the wiped system

After overwriting the MBR, LokiLocker will attempt to crash the system by forcing a Blue Display of Dying (BSOD).

Determine 18 – LokiLocker’s wiper code

Config

LokiLocker options a number of configurable sections. Many of the configurable info is hard-coded into the shopper binary through the constructing course of, whereas some settings could be modified on runtime utilizing a easy textual content file.

In addition to the affiliate-related info and execution choices, different fields that is perhaps configurable through the constructing course of are a listing of instructions to be executed via cmd.exe, and a listing of processes and providers the malware will try and kill. Throughout the samples we’ve seen, these fields have been constant up to now.

Affiliate Config

The primary “affiliate” config part comprises info such because the identify of affiliate, e-mail addresses, C2 URL, readme file identify and content material, and the extension to be added to the encrypted recordsdata. It additionally has a chat ID quantity – presumably used to establish the sufferer after they attain out to the attackers – and a timeout worth (in days) after which the malware will try and wipe the system.

The affiliate config is saved within the Loki.Config class and presumably embedded by the ransomware builder through the technology of a shopper binary.











Config Key

Config Worth

Electronic mail 1

“d4rkw4ve[at]tutanota[.]com”

Electronic mail 2

“dark4wave[at]yandex[.]com”

Marketing campaign or Affiliate identify

“darkwave”

Chat ID

<redacted>

Extension

“. Loki”

Readme file identify

“Restore-My-Recordsdata.txt”

Ransom be aware

See Determine 21

Wiper timeout

30

C2 URL

“loki-locker.one”


Execution Choices

The Config class additionally shops the default values for extra execution choices. These choices could be modified via a easy textual content file that must be positioned in the identical folder because the ransomware binary.















Config Choice

Description

Default setting

replace

Show faux Home windows replace display

false

nostartup

Don’t copy ransomware executable to startup

true

nons

Don’t scan for / encrypt community shares

false

nocdrive

Don’t encrypt the C Drive

true

justns

Scan for / encrypt solely community shares 

false

nofuck

Don’t wipe the system and the MBR

true

disabletask

Disable the Activity Supervisor

false

clast

Encrypt the C Drive Final

false

full

Full encryption

false

norun

Exit the method

false

shutdown

Shutdown the system after displaying ransom be aware

false

 

Customized config file identify

“loki.txt”

 

Vacation spot of config file

“config.Loki”


Executed Instructions


netsh firewall set opmode mode=disable

netsh advfirewall set currentprofile state off

bcdedit /set {default} bootstatuspolicy ignoreallfailures

bcdedit /set {default} recoveryenabled no

wbadmin DELETE SYSTEMSTATEBACKUP

wbadmin delete catalog -quiet

vssadmin delete shadows /all /quiet

wmic shadowcopy delete

schtasks /CREATE /SC ONLOGON /TN Loki /TR %APPDATApercentwinlogon.exe /RU SYSTEM /RL HIGHEST /F


Processes and Providers to Kill



Processes and Providers to Kill

wxserver

wxserverview

sqlservr

ragui

supervise

tradition

rtvscan

defwatch

winword

qbw32

qbdbmgr

qbupdate

qbcfmonitorservice

axlbridge

qbidpservice

httpd

fdlauncher

msdtsrvr

tomcat6

zhudongfangyu

vmware-usbarbitator64

vmware-converter

dbsrv12

msftesql

sqlagent

sqlbrowser

sqlwriter

oracle

ocssd

dbsnmp

synctime

agntsvc

mydesktopqos

isqlplussvc

xfssvccon

mydesktopservice

ocautoupds

agntsvc

agntsvc

agntsvc

encsvc

firefoxconfig

tbirdconfig

ocomm

mysqld

mysqld-nt

mysqld-opt

dbeng50

sqbcoreservice

excel

infopath

msaccess

mspub

onenote

outlook

powerpnt

steam

thebat

thebat64

thunderbird

visio

winword

wordpad

defwatch

ccevtmgr

ccsetmgr

savroam

sqlserv

sqlagent

sqladhlp

culserver

rtvscan

sqlbrowser

sqladhlp

qbidpservice

quickboooks.fcs

qbcfmonitorservice

sqlwriter

msmdsrv

tomcat6

zhundongfangyu

vmware-usbarbitator64

vmware-converter

dbsrv12

dbeng8

wrapper

mssqlserver

mssql

contoso1

msdtc

sqlserveragent

vds

 


Record of International locations (to Skip?)

The malware defines an array of strings, which presumably comprises a listing of nations to exclude from encryption. In all of the samples we’ve seen up to now, this record comprises just one entry – “Iran” – as seen in Determine 19. Plainly this performance will not be but applied, as there are not any references to this array within the code. Nonetheless, just like the references to Iranian attackers and hacking instruments, it may simply as effectively be a false flag meant to misdirect our consideration.

Determine 19 – “Iran” string

Dropped Recordsdata

HTA file

In addition to the plain textual content readme file, the malware additionally drops an HTA file just like the one pictured in Determine 20, which shows an HTML formatted ransom be aware on sufferer’s desktop.

Determine 20 – Message displayed by the HTA file


All of your recordsdata have been encrypted by Loki locker!

All of your recordsdata have been encrypted on account of a safety drawback along with your PC.

If you wish to restore them, please ship an e-mail {EMAIL_1}

You need to pay for decryption in Bitcoin. The value relies on how briskly you contact us.

After fee we’ll ship you the decryption device.

You need to 48 hours(2 Days) To contact or paying us After that, you must Pay Double.

In case of no reply in 24 hours (1 Day) write to this e-mail {EMAIL_2}

Your distinctive ID is : {UNIQUE_ID}

You solely have LIMITED time to get again your recordsdata!

If timer runs out and also you dont pay us , all of recordsdata shall be DELETED and also you laborious disk shall be severely DAMAGED.

You’ll lose a few of your knowledge on day 2 within the timer.

You should buy extra time for pay. Simply e-mail us.

THIS IS NOT A JOKE! you may look ahead to the timer to expire ,and watch deletion of your recordsdata 🙂

 

What’s our decryption assure?

Earlier than paying you may ship us as much as 3 take a look at recordsdata totally free decryption. The entire measurement of recordsdata have to be lower than 2Mb (non archived), and recordsdata shouldn’t comprise useful info. (databases,backups, giant excel sheets, and many others.)

 

Consideration!

DO NOT pay any cash earlier than decrypting the take a look at recordsdata.

DO NOT belief any middleman. they wont enable you and chances are you’ll be sufferer of rip-off. simply e-mail us , we enable you in any steps.

DO NOT reply to different emails. ONLY this two emails will help you.

Don’t rename encrypted recordsdata.

Don’t attempt to decrypt your knowledge utilizing third occasion software program, it could trigger everlasting knowledge loss.

Decryption of your recordsdata with the assistance of third events could trigger elevated value (they add their price to our) or you may grow to be a sufferer of a rip-off.

Determine 21: Ransom textual content



The HTA code additionally shows a faux Home windows Replace field as proven in Determine 22, then executes a brand new ransomware course of from “C:ProgramDatawinlogon.exe,” and tries to entry https[:]//picc[.]io/X8GRzsw.gif. The URL resolves to three[.]64[.]163[.]50, however the content material was now not out there on the time of writing.

Determine 22 – A part of HTA code

The HTA code creates a Google Tag Supervisor (gtag) knowledge layer, as proven in Determine 23, to retailer some metadata:

Determine 23 – Use of gtag by the HTA code

HTA Launcher

LokiLocker drops a small binary that’s used to show the message included in Determine 24, and to launch the “information.Loki” HTA file with the usage of mshta.exe. The binary is compiled on the fly from an embedded C# code utilizing a C# compiler.

Determine 24 – HTA launcher code


This file and all different recordsdata in your laptop are encrypted by Loki locker.

If you wish to restore this file and remainder of your recordsdata, Please ship us message to this e-mail : <attackers_email>

Write this ID within the title of your message : <victim_id>

We are going to enable you, in any steps.

In case of no reply in 24 hours, write us to this e-mail : <attackers_email_2>

Determine 25: MessageBox textual content

Community Scanner

We famous two types of community scanning used together with LokiLocker. The primary was an inbuilt community scanner, which may establish community shares to be able to mount and encrypt them.

The menace actors distributing LokiLocker have additionally been noticed utilizing a community scanner utility known as “NS” that they dropped into the sufferer’s setting. The device is an easy command line scanner that lists mounted and unmounted native drives and community shares, as proven in Determine 26.

Determine 26: NS.exe device

NS.exe has been on VirusTotal since 2018, and it has been seen throughout a number of completely different ransomware campaigns: Dharma, Phobos, LockBit, Revil – to call just some. There’s not a lot intel round this device, but it surely appears to be distributed on the darkish web as a part of or alongside many RaaS-based threats.

Conclusions

LokiLocker ransomware is adept at inflicting mayhem on the consumer’s endpoints, and, like its namesake Norse god, can show to be vengeful and harmful if not appeased with a (monetary) providing. LokiLocker’s use of KoiVM as a virtualizing protector for .NET purposes is an uncommon technique of complicating evaluation. We haven’t seen a number of different menace actors utilizing it but, so this can be the beginning of a brand new development.

The inclusion of the “Iran” code can be intriguing, because it’s not completely clear if or how that snippet was supposed for use. Usually, nation lists are supposed to exclude “pleasant territories” from potential hurt. However as this code doesn’t appear to be used, it may very well be a ruse, included in hopes that researchers will pin the blame for LokiLocker’s creation on Iran. There’s additionally the truth that a few of the earliest recognized LokiLocker associates go underneath usernames that may be discovered completely on Iranian hacking channels. Furthermore, Iranian cracking instruments have been used to distribute the preliminary samples of this ransomware. These particulars additional muddy the waters. With tricksters and menace actors, it may be tough to inform the distinction between a significant clue and a false flag – and one can by no means ensure simply how far down the rabbit gap the deception goes.

To guard towards infections by LokiLocker and related RaaS choices, the perfect rule is to all the time have a backup copy of your knowledge (or your organization’s knowledge). This ought to be saved offline and unplugged, ideally, in case your backup drives get hit by LokiLocker and encrypted, too.

When downloading recordsdata, together with new applications and software program, take care to solely obtain from trusted, official websites, quite than third-party or peer-to-peer (pirate) websites, which frequently harbor malicious recordsdata inside seemingly innocuous or “cracked” software program. The identical goes for e-mail attachments – even attachments from trusted contacts ought to be handled with a wholesome dose of warning (and ideally, scanned with an up-to-date antivirus program earlier than opening).

On the time of penning this, there isn’t any free device to decrypt recordsdata encrypted by LokiLocker. If you’re already contaminated with LokiLocker ransomware, the advice by most official safety authorities – such because the FBI – is to not pay the ransom. Fairly aside from the truth that each sufferer who pays the ransom perpetuates the worldwide development of ransomware, do not forget that you’re coping with criminals right here, and there’s no assure that you just’ll regain entry to your knowledge, even in case you pay up. Lastly, even in case you’re knowledge is restored, there isn’t any strategy to know whether or not the menace actor planted a backdoor someplace in your machine, for straightforward future entry. In spite of everything, individuals who pay one ransom can usually be persuaded to pay one other.

In the case of ransomware of all sorts, usually the perfect factor we will do as defenders is to make each effort to remain one step forward of the menace actors, even when the journey proves complicated and arduous.

If you’re a sufferer of ransomware:

Appendix

IOCs







































































0684437b17ae4c28129fbb2cfe75b83cc8424ba119b9ca716ad001a284d62ead

SHA256

15d7342be36d20ce615647fac9c2277f46b6d19aa54f3cf3d99e49d6ce0486d0

SHA256

1a4a3bfb72f3a80e4b499ecebe99f53a2b7785eace7f612b3e219409d1e1ffc7

SHA256

2a7f01d924a4fc38c9fad586634eccbc28de07d97531c4a02eb6085359093a45

SHA256

37702b94f9fc14a406312a2a392ad9553cf05c4b6870d94b5cf4781c02c29414

SHA256

4215b5ce91deb97011cba2dd94d5bac1a745d6d55f6938b86e209eaaf8e655df

SHA256

52c045b57e24585467be13454c5db551987fd23bfa931a7f6ab41e6f11b8a7ec

SHA256

55da12a82c8e0b9fda5dbba6612627c0ee5d13d55e3bcc1df2ca9785c97caf64

SHA256

5ccee068daf8a672d0e63e334e00985aa7fe56aa26b6c036d562728fdf968237

SHA256

6205056cd92c75579f56bd0ce7159fae9f360d4c183beb10743330952bf22056

SHA256

630e24cc1c4c95321965ad967e77e1888c48c4b1f653d800c7df08e879814787

SHA256

75a5d27c77cf8515cff84d789f0e8f849b37e15b9b5f1c0801bab414061048a6

SHA256

78a530f35d1cc89fc757b7661cbd57b2e9e46aeed53e2e66247db66c214a2ba0

SHA256

7f23ea1e5ab087ba2c4e0ea251d680ef5190d49181efcc222702075b276d5990

SHA256

8630df622ee773c3d9c934fe9d925c019b43232e8f2810ee651dcf5f3ec79893

SHA256

88acae18f2cf7de7bb76784d45d9612561c8890872ea3629f0608577928745a5

SHA256

8de5b9332556da8f401c5cbf3cea1dbc1e1ba277c0efa85dce8cd36310c2936c

SHA256

8f78555f0f62b4f280a77109dbaa4aeb5c347d1ea38b521f98c57a7acea8087e

SHA256

8f8cf6b8cd0c789d3f67f6291bb7c0c5416e27320631c852152a63513185941e

SHA256

a1e30ea263ba21d656717f7f7824ecb2dc90896f55eae134afaf7691209979fd

SHA256

ac1b326f23e17726a2b90ce8a9d29c6e44a2cb37b431e2b94734bdd17618ae26

SHA256

adacbc5402326f87c76cc7737ad924ce5bd7394400ef86a48fa754af9d22da66

SHA256

b01a96892f3efdaa6682078339b23d8954d571c27ee15a4ce9ef8ad6c415f06d

SHA256

b8996e435ba229837d13f9837f6c0451f50a5767b0d1f1bb715670c802a1d564

SHA256

c3fe7ee5451108c16d7730d0bf589f70b841f3846908c1761d827a70f3462ef0

SHA256

c80513aaff11a2a2914d3a674737f63fbc04c6d5de7fda6f8b6e07df580664cf

SHA256

c8e8599e8d86ff7daf02ea9c01d31f4cdcf829314c76b84d1b1b8a982d1299c5

SHA256

cb17673f3cde6e542db3ff5facee2a01fdec462be275e9274c512038470009d1

SHA256

da0a82d322502cd6d156649dee1e0a45348df0dce272b6ae2dd81af25f774c62

SHA256

df24b04f6ff0ac50fbf1c01ee02f809c1c3f9fbe9d14eefc3306b1b586bf943e

SHA256

e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3

SHA256

f2da3d1410c5058720a4307acf5fec7fc2b54285be9dd89eae108cce368dcde7

SHA256

fe930861d5eec95a3ea1239e7a8f4182a2cf5b094ac3a48c4cb2f0ef39facd05

SHA256

fffcf4be17e732aa3a5387e747290236d0f75ff3a24cb43eca793668d7772ddd

SHA256

4e6471c4574152d0eb2d2c608e540e505f3db41b50997d1f06c47e587a355d80

SHA256

7c890018d49fe085cd8b78efd1f921cc01936c190284a50e3c2a0b36917c9e10

SHA256

9ab1694c978f11521c6bca73d40256e4b433f3279792db8ae1fecc5e0ad174c9

SHA256

ebc955f12b0a2b588efca6de0af144dd00e33ead80185a887bf7c97329b28ec6

SHA256

1e6ecdb54224eea50476be03d5a48083deae15301f26ba3519e0c0a5eb77b1f4

SHA256

268c2924d45c0c7be9b67b85f03ddf5df97f2bc8963faefe1bec244e0cb95225

SHA256

36b5fe49cd81393f8c60c70c941a1e6aaf181775b0614f1c4a142f38c7af1a81

SHA256

42088f0e3e9c70b7d1d238f7e3b03a3ca177748ba2568adba9104bbed2827734

SHA256

6d1ecc48069eae14a831af05d29d2d25c0fa9f7c62f1f51c44d0d70fb014a590

SHA256

84d9ef8cb92d57b178cce655f3f7808c6f5cf42f15c468f741b253f37ffc39fc

SHA256

bb382bbc0756832748b33f0d7f7ec218d570afa031937259e69237df4945d074

SHA256

ca478cb334360bef31d394438cba1449dfe0b8d751cc8eb679f09e12e5068d1a

SHA256

e9e80fd3fe71d133609f5bc75081b13123e4f9a5ed1920050727955185f3ce52

SHA256

fe40e5c6244c7e0a256689b6ea0881998fef897cece79a2add3ba8f7a23f4f2b

SHA256

8cb1e9c99ad716a2541697a6d4ada32433b56e11dfe6aa1cb7c4fbc72b4bad2e 

SHA256

c1e8c720da2297aa4432364441b341ec85e6f7f571cf6348ffdc51f4ae96418a

SHA256

loki-locker[.]one

C2 area

194.226.139[.]3

C2 IP

91.223.82[.]6

C2 IP

SoftwareLokipublic

Reg worth

SoftwareLokifull

Reg worth

SoftwareLokitimer

Reg worth

SoftwareMicrosoftCurrentVersionRunMichael Gillespie

Reg worth

%ProgramDatapercentwinlogon.exe

Executable

%ProgramDatapercentconfig.Loki

Config file

<malware_path>loki.txt

Config file

<malware_path>logs.txt

Log file

Restore-My-Recordsdata.txt

Readme file

Information.Loki

HTA file

Cpriv.Loki

Knowledge file

Loki/1.0

Consumer Agent

.Loki

File extension

.Adair

File extension

.Boresh

File extension

.Rainman

File extension

.Spyro

File extension


Identified Affiliate Names

AbolSpyro

AdairFile

Ahmad_C4

Darwin

Fardinyps

Fuck3r_life

Helpmezeus

John

Kingbo

LokiBlack

Mindnear

Miracle

Miveh_sabzikosher

Roxlock

Shadow

ShreAzm0

Sirer

darkages

darkkiller

arkwave

ghost

h33shmat

hijack

jhnvjfygbjdhf

mjid4MB

mr_noobx

numbervpss

optimus982

pf9922

qazw

sidewinder



Identified Electronic mail Addresses

BlackSpyro[at]mailfence[.]com

BlackSpyro[at]tutanota[.]com

DecNow[at]MsgSafe[.]io

DecNow[at]TutaMail[.]Com

Decoder[at]firemail[.]cc

Decryptfiles[at]goat[.]si

Filemanager[at]mailfence[.]com

Helpingdecode[at]tutanota[.]com

Miiracle11[at]yandex[.]com

Miracle11[at]keemail[.]me

PayForDecrypting[at]gmail[.]com

PayForDecrypting[at]outlook[.]com

Rdpmanager[at]airmail[.]cc

RoxLock[at]keemail[.]me

RoxLock[at]mailfence[.]com

Shadow0[at]mailfence[.]com

Shadow11[at]mailfence[.]com

Skydancerf5[at]cock[.]li

Sapphire01[at]keemail[.]me

Sapphire02[at]mailfence[.]com

Unlockpls.dr01[at]protonmail[.]com

Unlockpls.dr01[at]yahoo[.]com

adairfile[at]mailfence[.]com

adairfile[at]tutanota[.]com

admindec[at]rape[.]lol

anoniran[at]protonmail[.]com

badlamadec[at]msgsafe[.]io

d4rkw4ve[at]tutanota[.]com

dark4wave[at]yandex[.]com

darkish.killer[at]mailfence[.]com

darkkiller[at]cock[.]li

decryptyourfiles[at]firemail[.]cc

decsup[at]tuta[.]io

falcon9[at]cyberfear[.]com

filemanager[at]cock[.]li

jesushelp01[at]techmail[.]information

jesushelp02[at]mailfence[.]com

kingbo[at]tutanota[.]com

kingboo[at]mailfence[.]com

kingvps1[at]mailfence[.]com

kingvps[at]mailfence[.]com

lockirswsuppurt[at]mailfence[.]com

lockteam[at]cock[.]li

lockteam[at]keemail[.]me

loki.black[at]mailfence[.]com

loki.black[at]msgsafe[.]io

loki.assist[at]bingzone[.]web

loki.assist[at]mailfence[.]com

loki.support01[at]techmail[.]information

loki.support02[at]mailfence[.]com

loki01[at]keemail[.]me

loki02[at]mailfence[.]com

lordpdx[at]tutanota[.]com

mrcrypt2[at]mailfence[.]com

mrcrypt[at]msgsafe[.]io

mrrobot13[at]cock[.]li

pf2536[at]protonmail[.]com

pf2536[at]tutanota[.]com

puffcrypt[at]gmail[.]com

rain.man13[at]mailfence[.]com

rain_man13[at]keemail[.]me

skydancerf5[at]tutanota[.]com

tran9ino00[at]protonmail[.]com

wannayourdata[at]gmail[.]com

xmagic22[at]tutanota[.]com

xmaster22[at]tutanota[.]com

 

The BlackBerry Research & Intelligence Team

About The BlackBerry Analysis & Intelligence Crew

The BlackBerry Analysis & Intelligence workforce examines rising and chronic threats, offering intelligence evaluation for the good thing about defenders and the organizations they serve.




Supply hyperlink