Threat Research

New Ransomware Family Identified: LokiLocker RaaS Targets Windows Systems

Securonix

BlackBerry Threat Intelligence identifies LokiLocker as a new RaaS ransomware family that encrypts Windows files using AES-256 and RSA-2048, with virtualization protection via KoiVM/NETGuard to hinder analysis. The campaign also features a possible false-flag element pointing to Iranian actors and a limited affiliate network around 30 members.

Keypoints

  • LokiLocker is a .NET-based RaaS ransomware that uses KoiVM virtualization and NETGuard to protect its code and complicate analysis.
  • The RaaS model appears to be limited to around 30 affiliates, each identified by a username and a unique chat-ID within the botnet ecosystem.
  • Early samples were distributed inside brute-checker tools (e.g., PayPal/Spotify/PIA VPN brute checkers) likely as beta testing before full affiliate rollout.
  • Persistence is achieved through scheduled tasks, Run keys, and Common Startup folder, plus other startup/discovery techniques.
  • Encryption combines RSA-2048 for key protection and AES-256 in GCM for file encryption; keys are stored in the registry and can be streamed back to attackers via C2.
  • The malware includes wiper capabilities (deleting non-system files and potentially overwriting the MBR) and a ransom workflow with HTA-based notes and a launcher.
  • Network behavior includes beaconing to loki-locker.one via POST requests and the use of HTA/jSHTA-based components, plus an in-house NS.exe network scanner for discovering shares.

MITRE Techniques

  • [T1566.001] Phishing – Spear-phishing campaigns referenced in updates: “An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the conflict in Ukraine.” – (quoted content)
  • [T1053.005] Scheduled Task – Persistence: “By creating a scheduled task to execute the malware binary on each logon.” – (quoted content)
  • [T1547.001] Boot or Logon Autostart Execution – Registry Run Keys/Startup Folder and Startup Copy: “By adding the following value to the SoftwareMicrosoftCurrentVersionRun under both HKCU and HKLM keys” and “By copying the malware executable to the Common Startup folder.” – (quoted content)
  • [T1110] Brute Force – Credential Stuffing via Brute-Checkers: “Brute-checkers are tools used to automate validation of stolen accounts, and gain access to other accounts, via a technique called credential stuffing.” – (quoted content)
  • [T1027] Obfuscated/Compressed Files and Information – Code obfuscation using KoiVM/NETGuard: “KoiVM… turning the .NET opcodes into new ones that only are understood by our machine.” – (quoted content)
  • [T1135] Network Share Discovery – Network scanning to identify shares: “The threat actors distributing LokiLocker have also been observed using a network scanner utility called NS that they dropped into the victim’s environment. The tool is a simple command line scanner that lists mounted and unmounted local drives and network shares.” – (quoted content)
  • [T1218.005] Signed Binary Proxy Execution: HTA – HTA launcher and mshta.exe usage: “launch the ‘info.Loki’ HTA file with the use of mshta.exe.” – (quoted content)
  • [T1486] Data Encrypted for Impact – Encryption details: “Each file is encrypted with AES-256 in GCM mode, using a randomly generated key; the key is then encrypted using the victim’s public RSA key.” – (quoted content)
  • [T1490] Inhibit System Recovery – Deleting backups/shadow copies: “Deletes system backup and shadow copies.” – (quoted content)
  • [T1485] Data Destruction – Wiping/non-system file destruction and MBR overwrite: “overwriting the MBR” and related wiping actions – (quoted content)
  • [T1562.001] Impair Defenses – Disabling Defender/Task Manager: “Disables Windows Defender” and “Disables Windows Task Manager” – (quoted content)
  • [T1071.001] Web Protocols – C2 communications via HTTP POST: “The malware sends a beacon containing the following information in a POST request to the index.php script hosted on the command-and-control (C2) server.” – (quoted content)

Indicators of Compromise

  • [SHA256] Hashes – 0684437b17ae4c28129fbb2cfe75b83cc8424ba119b9ca716ad001a284d62ead, 15d7342be36d20ce615647fac9c2277f46b6d19aa54f3cf3d99e49d6ce0486d0, and 2 more hashes
  • [Domain] C2 domain – loki-locker[.]one
  • [IP] C2 IPs – 194.226.139[.]3, 91.223.82[.]6
  • [Registry Value] Loki affiliate config keys – SoftwareLokipublic, SoftwareLokifull, SoftwareLokitimer
  • [File/Path] Persistence and config – %ProgramData%winlogon.exe, %ProgramData%config.Loki
  • [File] Ransom-related files – Restore-My-Files.txt, Info.Loki
  • [File Extension] Encrypted-file extensions – .Loki
  • [File] HTA and ransom artifacts – Info.Loki, Restore-My-Files.txt, Loki/1.0 (User Agent)
  • [User Agent] Web beacon – Loki/1.0

Read more: https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware