BlackBerry Threat Intelligence have identified a new Ransomware-as-a-Service (RaaS) family, and tracked its lineage to its probable beta stage release. LokiLocker encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection. It then asks the victim to email the attackers to obtain instructions on how to pay the ransom.
LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows® PCs; the threat was first seen in the wild in mid-August 2021.
The malware is written in .NET and protected with NETGuard (modified ConfuserEX) using an additional virtualization plugin called KoiVM. KoiVM used to be a licensed commercial protector for .NET applications, but around 2018, its code was open-sourced (or possibly leaked), and it’s now publicly available on GitHub. Although Koi seems to be popular with hacking tools and cracks, we haven’t seen a lot of other malware using it to date.
LokiLocker also boasts an optional wiper functionality – if the victim doesn’t pay up in the timeframe specified by the attacker, all non-system files will be deleted and the MBR overwritten, wiping all the victim’s files and rendering the system unusable.
Learn more about LokiLocker in our latest blog post, here:
Credit: YouTube/BlackBerry