LokiLocker Ransomware with Built-in Wiper Functionality

Description

FortiGuard Labs is aware of a report that LokiLocker ransomware is equipped with built-in wiper functionality. The ransomware targets the Windows OS and is capable of erasing all non-system files and overwriting the Master Boot Record (MBR) if the victim opts not to pay the ransom, leaving the compromised machine unusable. According to the report, most victims of LokiLocker ransomware are in Eastern Europe and Asia.

Why is this Significant?

This is significant because LokiLocker ransomware has built-in wiper functionality which can overwrite the MBR and delete all non-system files on the compromised machine if the victim does not pay ransom in a set time frame. Successfully overwriting the MBR will leave the machine unusable.

What is LokiLocker Ransomware?

LokiLocker is a .NET ransomware that has been active since as early as August 2021. The ransomware encrypts files on the compromised machines and demands ransom from the victim to recover the encrypted files. The ransomware adds a ".Loki" file extension to the files it encrypted. It also leaves a ransom note in a Restore-My-Files.txt file. The malware is protected with NETGuard, an open-source tool for protecting .NET applications, as well as KoiVM, a virtualizing protector for .NET applications.

LokiLocker has a built-in configuration file, which contains information such as the attacker's email address, campaign or affiliate name, Command-and-Control (C2) server address and wiper timeout. Wiper timeout is set to 30 days by default. The value tells the ransomware to wait 30 days before deleting non-system files and overwriting the Master Boot Record (MBR) of the compromised machine. The configuration also has execution options which controls what actions the ransomware should or should not carry out on the compromised machine. The execution options include not wiping the system and the MBR, not encrypting the C Drive and not scanning for and encrypting network shares. The wiping option is set to false by default, however the option can be modified by the attacker.

How is LokiLocker Ransomware Distributed?

While the current infection vector is unknown, early LokiLocker variants were distributed through Trojanized brute-checker hacking tools. According to the public report, most victims of LokiLocker ransomware are in Eastern Europe and Asia. Fortinet's telemetry indicates the C2 domain was accessed the most from India, followed by Canada, Chile and Turkey.

What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage:

W32/DelShad.GRG!tr.ransom

W32/DelShad.GSE!tr.ransom

W32/DelShad.GUJ!tr.ransom

W32/Filecoder.AKJ!tr

W32/Generic.AC.171!tr

W32/PossibleThreat

W32/Ramnit.A

MSIL/Filecoder.AKJ!tr

MSIL/Filecoder.AKJ!tr.ransom

MSIL/Filecoder_LokiLocker.D!tr

MSIL/Filecoder.4AF0!tr.ransom

MSIL/Filecoder.64CF!tr.ransom

PossibleThreat

All known network IOC's are blocked by the FortiGuard WebFiltering client.

Appendix

New Ransomware Family Identified: LokiLocker RaaS Targets Windows Systems (Blackberry)