There is a new ransomware-as-a-service (RaaS) strain called LokiLocker, researchers at Blackberry warn. The malware uses rare code obfuscation and includes a file wiper component that attackers can deploy if their victims don’t pay. “It shouldn’t be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer.

“LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021,” researchers from BlackBerry’s Research & Intelligence Team said in a new report.  The BlackBerry researchers estimate that LokiLocker currently has around 30 affiliates.

LokiLocker’s technical capabilities

When first executed on a computer, LokiLocker copies itself as %ProgramData%/winlogon.exe and then sets up persistence by using a scheduled task and a start-up registry entries. The malware has a config file that affiliates can customise and which can be used to instruct the malware to:

  • Display a fake Windows Update screen
  • Kill specific processes and stop specific system services
  • Disable the Windows Task Manager
  • Delete system back-ups and Shadow Volume copies
  • Disable the Windows Error Recovery and Windows Firewall
  • Remove system restore points
  • Empty the Recycle Bin
    Disable Windows Defender
  • Change the message displayed on the user’s login screen

“At the time of writing this, there is no free tool to decrypt files encrypted by LokiLocker,” the BlackBerry researchers said. “If you are already infected with LokiLocker ransomware, the recommendation by most official security authorities such as the FBI is to not pay the ransom.”

There are options to only encrypt the C drive, or to skip the C drive. The malware also has network scanning functionality, which can be used to detect and encrypt network shares, but using this functionality is also configurable.

Finally, LokiLocker contains a wiper module that will attempt to delete files from all local drives and then overwrite the hard drive’s Master Boot Record (MBR), which will leave the system unable to boot into the operating system.

Instead, the user will see a message reading: “You did not pay us, so we deleted all your files.” The wiper functionality will automatically trigger based on a timer that’s set to 30 days but is configurable.

It’s not clear who are the authors of LokiLocker, but the BlackBerry researchers noted that the debugging strings found in the malware are written in English without any major spelling mistakes that are sometimes common with Russian or Chinese malware developers. Instead, there are some potential links to Iran, but these could be planted to throw off malware researchers.