Security researchers at BlackBerry have identified a new Ransomware-as-a-Service (RaaS) family on March 16 and traced it back to its alleged beta stage release.
The strain, called LokiLocker, encrypts victims’ files, renders compromised systems unusable, and demands a ransom to restore access. The malicious service also tries to shake off unwanted attention by framing Iranian threat actors.
LokiLocker was first spotted on the web last August, targeting Windows PCs of English-speakers.
“LokiLocker encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection,” according to BlackBerry’s security advisory. “It then asks the victim to email the attackers to obtain instructions on how to pay the ransom.”
So far, LokiLocker seems to have the same encryption capabilities as many other known ransomware strains. However, threat actors can also configure it to wipe all non-system files and overwrite the MBR, thus making the system unusable.
“LokiLocker also boasts an optional wiper functionality — if the victim doesn’t pay up in the timeframe specified by the attacker, all non-system files will be deleted and the MBR overwritten, wiping all the victim’s files and rendering the system unusable. With a single stroke, everyone loses,” according to the advisory.
Reportedly, LokiLocker could be programmed to exclude certain countries from encryption and wiping, but further research found only Iran on the list of exceptions. Additionally, the exception rule hasn’t even been implemented, leading experts to believe that the references to Iranian threat actors might be a diversion to avoid unwanted attention.
At the moment, no free tool to decrypt content ciphered by LokiLocker exists.