Double extortion became a “popular thing” last year when gang ransomware began stealing files before encrypting them to threaten victims by sharing sensitive data if they did not pay.
BlackBerry Threat Intelligence now warns that LokiLock, first seen in August 2021, has an “optional wiper function” to put pressure on victims in a slightly different way.
Instead of attackers using the threat of publishing victim files to pressure them to pay, LokiLock threatens to overwrite the victim’s Windows Master Boot Record (MBR), which deletes all files and renders the machine unusable. But that tactic effectively ends all payment negotiations, of course.
Disk erasure functionality has recently come into focus due to destructive malware attacks on Ukrainian organizations. The US government fears that destructive malware could target organizations in the West in retaliation for sanctions against Russia.
Historically, disk-wiping malware has often been favored by state-sponsored hackers, as has been the case in NotPetia, WhisperGate and HermeticWiper – all more or less linked to Russian-sponsored actors – where ransomware is a lure for real destructive intent.
But commercially motivated ransomware that destroys the victim’s computer? It certainly seems to be a different style of ransom negotiation than ransomware, which is associated with Russian actors.
“Everyone loses with one move,” notes BlackBerry.
However, Microsoft has tracked down new Iranian hacker groups that use both encryption and destructive malware.
BlackBerry points to some evidence suggesting that LokiLocker was developed by Iranian hackers and is designed to target English-speaking victims, reports ZD Net.
Proof: there are very few English spelling errors in the malware debug strings; LokiLocker groups chat on Iranian hacker forums, and Iran is the only location currently on the blacklist for activating encryption. In addition, some credential-breaking tools, which were distributed in early LokiLocker samples, were probably developed by an Iranian cracking team called AccountCrack.
Although we have not been able to reliably estimate exactly where LokiLocker RaaS comes from, it is worth noting that all built-in debug strings are in English, and – unlike most malware from Russia and China – the language is mostly error-free and spelling-free. “, Notes BlackBerry. “It is not entirely clear whether this means that they really come from Iran or that the hidden actors are trying to shift the blame to the Iranian attackers,” the statement said.
READ MORE:
- Google has set the launch date for Android 13
- Samsung says it is developing a new type of OLED panel for Apple
As for the disk erase function, BlackBerry says that malware will try to destroy the system if the ransom is not paid within the specified time limit. It deletes all victim files except system files and also tries to overwrite the MBR, and then, after forcing an error message on the BSOD (blue screen of death), restarts the deleted machine and displays the message: “You did not pay us.” So we deleted all your files 🙂 Loki locker ransomvare_ “.
Before the payment deadline, the malware changes the victim’s login screen and desktop background to a ransom message and provides a web file that displays a ransom note on the victim’s desktop with details of the time left to “lose all your files.”
LokiLocker is written in .NET and protected by NETGuard (modified ConfuserEX), using an additional virtualization add-on called KoiVM, according to BlackBerry.
“LokiLocker’s use of KoiVM as a virtualized protector for .NET applications is an unusual method to complicate analysis. “We haven’t seen many other actors using it yet, so this could be the beginning of a new trend,” said the renowned company.
