Alarm raised over ‘trickster’ LokiLocker ransomware

An emergent ransomware-as-a-service (RaaS) family dubbed LokiLocker is beginning to attract the attention of threat researchers, who are warning security pros to be on the lookout for the ransomware which, like its namesake Norse trickster god, has some “subtle tricks” up its sleeve designed to misdirect and distract defenders.

First spotted in the wild in August 2021, LokiLocker – not to be confused with the LokiBot infostealer – targets mostly English-speaking victims and Windows PCs located in Eastern Europe and Asia, according to the BlackBerry threat researchers who have been tailing its operators. It currently has about 30 carefully selected affiliates.

BlackBerry’s team traced LokiLocker back to its beta-testing phase, noting that it was first distributed within trojanised brute-checker hacking tools – tools used by malicious actors to automate credential stuffing attacks – in this case against the likes of PayPal and Spotify.

Concerningly, it also includes wiper functionality – if the victim does not pay up in a specified time, their non-system files are deleted and the master boot record (MBR) overwritten, leaving the system totally unusable.

“LokiLocker ransomware is adept at causing mayhem on the user’s endpoints, and, like its namesake Norse god, can prove to be vengeful and destructive if not appeased with a financial offering,” said BlackBerry’s team in a disclosure notice.

LokiLocker is somewhat unusual for a couple of reasons. Firstly, the ransomware itself is written in .NET and protected with NETGuard using a virtualisation plugin called KoiVM – a legitimate commercial protector for .NET apps, but one that has proved popular with hacking tools and cracks since its code became publicly available in 2018.

This, the team said, is something new. “LokiLocker’s use of KoiVM as a virtualising protector for .NET applications is an unusual method of complicating analysis,” they said. “We haven’t seen a lot of other threat actors using it yet, so this may be the start of a new trend.”

Secondly, BlackBerry found that some of the early LokiLocker affiliates go by handles that are found exclusively on Iranian hacking channels, and Iranian cracking tools have been used to distribute the initial samples, which would seem to be a clear clue as to its provenance.

Coupled with this, the researchers found the malware itself defines an array of strings that might be presumed would usually contain a list of “friendly” countries to exclude from encryption – most ransomwares do this and most exclude Russia and other former-Soviet states – but LokiLocker excludes only one country, Iran.

BlackBerry’s team then found that whoever wrote LokiLocker had not actually implemented this functionality, which potentially casts doubt on the Iranian connection. They suggested it could be a ruse to misdirect attention away from its true origins, wherever they may be.

“These details further muddy the waters,” said the team. “With tricksters and threat actors, it can be difficult to tell the difference between a meaningful clue and a false flag – and you can never be sure just how far down the rabbit hole the deception goes.”