LokiLocker Ransomware Poised to Proliferate
LokiLocker, a new ransomware family discovered by BlackBerry, is distinguishing itself by threatening to overwrite the Master Boot Record (MBR) of a victim’s system, leading to the wiping of all files.
That, of course, leaves the infected machine unusable, BlackBerry said of the ransomware-as-a-service (RaaS). But there’s a twist—or two or three. “Like its namesake god Loki, this threat seems to have a few subtle tricks up its sleeve—not least of which is being a potential ‘false flag’ tactic that points the finger at Iranian threat actors,” according to a BlackBerry Threat Intelligence blog post.
LokiLocker in the Wild
“In Norse mythology, Loki was the consummate trickster who had the ability to shapeshift at will. One of the many hot-headed fire gods, Loki was an enemy to the other gods themselves, often entering their banquets uninvited and demanding their food and drink,” researchers explained. “LokiLocker is similarly insistent on acquiring that to which it has no legitimate claim.”
Although the name Loki “has many namesakes in previous ransomware variants and gangs, this one, however, does not appear to be directly related,” said Joseph Carson, chief security scientist and advisory CISO at Delinea, who noted that the more organizations pay ransom, the more advanced subsequent variants will be. “It does include a wiper function which could be a cyber weapon disguised as ransomware.”
Wipers, he pointed out, “can sometimes be an extension to the ability to hide tracks. Since LokiLocker is a RaaS, it could very well offer its services to some nation-states who want to distance themselves from attribution as well as offering the service to criminal gangs.”
BlackBerry researchers said while they found an Iranian string within the code as well as identified three LokiLocker affiliates using unique usernames typically found on Iranian hacking channels, they believe those clues might represent a false flag.
“The inclusion of the ‘Iran’ code is also intriguing, as it’s not entirely clear if or how that snippet was intended to be used. Normally, country lists are meant to exclude ‘friendly territories’ from potential harm,” the researchers said. “But as this code does not seem to be used, it could be a ruse included in the hopes that researchers will pin the blame for LokiLocker’s creation on Iran.”
The Iran-focused details “further muddy the waters,” BlackBerry said. “With tricksters and threat actors, it can be difficult to tell the difference between a meaningful clue and a false flag—and one can never be sure just how far down the rabbit hole the deception goes.”
In tracing the RaaS’s origins, the researchers found that bad actors used trojanized brute-checker hacking tools for services like Spotify and PayPal, testing the tools on end-users who were themselves miscreants and not likely to report the threat.
“Brute-checkers are tools used to automate validation of stolen accounts, and gain access to other accounts, via a technique called credential stuffing,” researchers said. “It’s possible that the LokiLocker version distributed with these hacking tools constituted some kind of beta testing phase before the malware was offered to a wider range of affiliates.”
They noted that “LokiLocker works as a limited-access ransomware-as-a-service scheme that appears to be sold to a relatively small number of carefully vetted affiliates behind closed doors. Each affiliate is identified by a chosen username and is assigned a unique chat-ID number.”
Attacks Expected to Ramp Up
BlackBerry expects attacks to ramp up after spotting more than 30 different affiliates of LokiLocker samples in the wild.
“The research shows that ransomware is happening at scale. It is provided as a service to many affiliates. It is also becoming more destructive. Besides encrypting files, it also wipes the system. The chance of being hit has greatly increased and the consequence is bigger,” said Aimei Wei, CTO and founder at Stellar Cyber.
The researchers found, not surprisingly, that victims were “scattered around the world,” but concentrated in Eastern Europe and Asia.
“Although we’ve been unable to reliably assess exactly where the LokiLocker RaaS originates, it is worth mentioning that all the embedded debugging strings are in English, and—unlike the majority of malware originating from Russia and China—the language is largely free of mistakes and misspellings,” the researchers said.
They warned that LokiLocker “is adept at causing mayhem on the user’s endpoints, and, like its namesake Norse god, can prove to be vengeful and destructive if not appeased with a (financial) offering.”
Its “use of KoiVM as a virtualizing protector for .NET applications is an unusual method of complicating analysis,” they said. “We haven’t seen a lot of other threat actors using it yet, so this may be the start of a new trend.”
The detailed report on LokiLocker and its potential impact drew praise from security pros. “BlackBerry’s research does a good job showcasing how ransomware attacks are part of a larger criminal enterprise. This particular variant includes features allowing the authors to offer this as a SaaS tool to any interested criminal groups,” said Jason Hicks, field CISO and executive advisor at Coalfire.
“It also seems to include functionality that would allow the author to decrypt files in the event their ‘client’ did not,” said Hicks. “Making the barrier to entry into ransomware attacks much lower for any aspiring group. At the same time, it’s important to take the existence of this malware in the context of the larger threat landscape. The reality is there will be additional variants of this malware as well as the larger ransomware software space.”
