BlackBerry Prevents LokiLocker

Named after Loki, the “trickster” god in Norse mythology, LokiLocker is a type of ransomware that encrypts files on a compromised device, rendering it unusable if the ransom isn’t paid in time. In March 2022, the BlackBerry Threat Intelligence Team intercepted this Ransomware-as-a-Service (Raas) family and tracked its lineage, estimating it to be a probable beta stage release.

This ransomware family is relatively new, first spotted in the wild August 2021. LokiLocker targets English-speaking victims and Windows® PCs. Like its namesake god Loki, this ransomware enters its target destination uninvited and looks for property to steal. The malware then encrypts this data, and demands the victim pay a monetary ransom to restore access.

Even though it’s likely still in beta, LokiLocker has many malicious tricks up its sleeve. These include a “false flag” tactic that may be misleading defenders by placing blame on Iranian threat actors. And despite similarities in name, LokiLocker shouldn’t be confused with the older Locky ransomware family, or the notorious infostealer LokiBot. It shares some similarities with LockBit ransomware, such as registry values and ransom note filename, but it’s not a direct descendant. LokiLocker is written in .NET and protected with NETGuard (modified ConfuserEX) using an additional virtualization protector called KoiVM. Although this technique hasn’t often been seen in use by other threat actors, this may be the start of a new malware trend.

See how BlackBerry prevents LokiLocker attacks in our demo video below, which shows BlackBerry® products going head-to-head with a live sample of LokiLocker.

DEMO VIDEO: BlackBerry vs. LokiLocker

Learn more about LokiLocker in our deep dive blog: New Ransomware Family Identified: LokiLocker RaaS Targets Windows Systems

Figure 1 – CylanceOPTICS instantly detects each move LokiLocker makes within the system, providing real-time detection and prevention information

Figure 2 – In our demo video above, you’ll see CylancePROTECT prevents multiple LokiLocker samples from accessing the target system, stopping the attack before it happens

BlackBerry Protects Against LokiLocker

CylancePROTECT® provides automated malware prevention, application and script control, memory protection, and device policy enforcement. CylanceOPTICS® extends the threat protection by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.  

Prevention First Philosophy

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity to neutralize malware before the exploitation stage of the kill-chain. 

By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. This also helps to reduce infrastructure complexity and streamline your security management, ensuring that your business, people, and endpoints are secure. 

BlackBerry Assistance  

Regardless of your current BlackBerry relationship, the BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.   

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 

Video Transcription  

In this video, we are going to analyze LokiLocker, a new Ransomware-as-a-service (Raas) family that encrypts victims’ files on local drives and network shares.

This system is configured in Audit-Only mode to allow malware execution. Here, we have a recent LokiLocker sample. Upon execution, it deploys a .dll file, then drops a cmdline that contains additional instructions and establishes persistence and other actions in the background before encryption.

Files and network shares are encrypted as “winlogon.exe” on different paths of the system, setting its attributes to “hidden” and “system” with a mutex called LokiLocker. It also drops a preliminary ransom note as a .txt file right before changing the user’s wallpaper and presenting the typical HTA note with a deadline, threatening to wipe all the user’s data.

CylanceOPTICS® is able to detect all the steps taken by LokiLocker. In near real time, we can identify how the threat establishes persistence, how it deletes the system’s Shadow Copy to prevent system recovery, and how it uses Netsh to disable the system’s firewall. We can also conduct a Root Cause Analysis to drill down on the specifics of this ransomware piece, visualizing every step taken by this threat: how it sends a beacon in a POST request to its Command-and-Control (C2), how it establishes persistence through scheduled tasks, as well as on the system’s registry, but CylanceOPTICS main priority is to prevent this attack from happening in the first place.

The Predictive Advantage of CylancePROTECT® allows us to prevent this threat years before it was even created. This is a Cylance® AI model from October 2015, and the endpoint it is hosted on has no internet connectivity. Let’s copy our original LokiLocker sample – you'll see its actions are prevented, pre-execution.

Now let’s try with 40 samples from our blog’s IoC list. Once again, let’s copy the files to the system and we'll try to execute them all in sequence. You can see that all 40 samples of LokiLocker are prevented in pre-execution.

Prevention is Possible with BlackBerry.

About Hector Diaz

Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.

Back