LokiLocker, a relatively new form of ransomware, uses the standard extortion-through-encryption racket but also incorporates disk-wiper functionality.
Double extortion became a hit last year, when ransomware gangs started stealing files before encrypting them to threaten victims with a sensitive data leak if they didn’t pay up.
BlackBerry Threat Intelligence is now warning that LokiLock, first seen in August 2021, now features an “optional wiper functionality” to put pressure on victims in a slightly different way.
Instead of attackers using the threat of leaking a victim’s files to pressure them into paying, LokiLock’s customers threaten to overwrite a victim’s Windows Master Boot Record (MBR), which wipes all files and renders the machine unusable. But that tactic effectively ends all negotiations about payment, of course.
Disk-wiper functionality has come into focus recently because of destructive malware attacks on Ukrainian organizations. The US government fears destructive malware could target organizations in the West in retribution for sanctions against Russia.
Historically, disk-wiper malware has often been favoured by state-sponsored hackers, as was the case in NotPetya, WhisperGate and HermeticWiper – all directly or loosely connected to Russian state-sponsored actors – where ransomware is a decoy for the true destructive intent.
But commercially motivated ransomware that destroys the victim’s computer? It certainly appears to be a different style of ransom negotiation than ransomware linked to Russian actors.
“With a single stroke, everyone loses,” BlackBerry notes.
However, Microsoft has been tracking emerging – presumed state-backed or affiliated – Iranian hacking groups that are employing both encryption and destructive malware.
BlackBerry points to some evidence that suggests LokiLocker was developed by Iranian hackers and designed to target English-speaking victims.
The evidence: there are very few English spelling errors in the malware’s debugging strings; LokiLocker affiliates are chatting on Iranian hacking forums; and Iran is the only location currently blacklisted for activating encryption. Additionally, some credential-cracking tools distributed in early samples of LokiLocker “seem to be developed by an Iranian cracking team called AccountCrack”.
“Although we’ve been unable to reliably assess exactly where the LokiLocker RaaS originates, it is worth mentioning that all the embedded debugging strings are in English, and – unlike the majority of malware originating from Russia and China – the language is largely free of mistakes and misspellings,” BlackBerry notes. “It’s not entirely clear whether this means they truly originate from Iran or that the real threat actors are trying to cast the blame on Iranian attackers,” it said.
It’s common for Russia-based ransomware gangs to not activate malware on machines within Commonwealth of Independent States nations – often configured by blacklisting specific language codes within a machine’s language settings.
But BlackBerry says LokiLocker appears to be in beta. The Iran blacklist functionality hasn’t been implemented.
As for the disk-wiper functionality, BlackBerry says the malware will attempt to destroy a system if a ransom isn’t paid within the specified timeframe. It deletes all of a victim’s files, except for system files, and also tries to overwrite the MBR and then, after forcing a Blue Screen of Death error message, reboots the wiped machine and displays the message: “You did not pay us. So we deleted all of your files : ) Loki locker ransomware_”.
Prior to the payment deadline, the malware changes the victim’s login screen and desktop wallpaper to the ransom message, and drops a web file that displays the ransom note on the victim’s desktop detailing the time left “to lose all of your files”.
LokiLocker is written in .NET and protected with NETGuard (modified ConfuserEX), using an additional virtualization plugin called KoiVM, according to BlackBerry.
“LokiLocker’s use of KoiVM as a virtualizing protector for .NET applications is an unusual method of complicating analysis. We haven’t seen a lot of other threat actors using it yet, so this may be the start of a new trend,” the company notes.