September 27, 2023

Researchers from blackberry have identified a ransomware family targeting windows machines and capable of wiping out data. This was dubbed as Lokilocker, a RaaS with a origin of Iran possibly named after Loki- Norse lore lord.

Only few small numbers of affiliates are known. They are identified by a chosen username and assigned a unique chat-ID number.


Researchers say there are victims around the world, which isn’t surprising given that different affiliates may have different targeting patterns. Most so far are in Eastern Europe and Asia.

The origins of the RaaS family is still unknown but wrote that all the embedded debugging strings are in English and mostly free of the kinds of mistakes and misspellings typically seen in malware coming from Russia or China. Some of the earliest known LokiLocker affiliates are found in Iran forums

The malware appears to contain a list of countries to exclude from encryption and in the samples the BlackBerry researchers have seen, the only country on the list is Iran.


The malware is written in .NET and protected with NETGuard – a commercial product that the researchers call a “modified ConfuserEX,” an open-source tool for protecting .NET applications – while also using KoiVM, a virtualization plugin. It used to be a licensed commercial protection for .NET applications, but after its code was open-sourced in 2018, it became publicly available on GitHub.

The use of KoiVM as a protector is an unusual method for complicating analysis of the malware that hasn’t been seen with many other threat actors and may mark the start of a new trend. It uses a combination of AES for file encryption and RSA for key protection to encrypt the victim content.

The ransomware was distributed inside trojanized brute-checker hacking tools, including PayPal BruteCheck, Spotify BruteChecker, PiaVNP Brute Checker by ACTEAM, and FPSN Checker by Angeal that are used in credential stuffing activities


LokiLocker puts a time limit for paying the ransom and will make the system unusable if the payment isn’t made. Similar to other ransomwares

The wiper function is part of an escalation by ransomware gangs in recent years to encourage victims to pay the ransom by including additional threats beyond just refusing to decrypt the files, such as erasing data or leaking stolen files on the dark web.

Leave a Reply

%d bloggers like this: