Named after Loki, the “trickster” god in Norse mythology, LokiLocker is a type of ransomware that encrypts files on a compromised device, rendering it unusable if the ransom isn’t paid in time. In March 2022, the BlackBerry Threat Intelligence Team intercepted this Ransomware-as-a-Service (Raas) family and tracked its lineage, estimating it to be a probable beta stage release.
This ransomware family is relatively new, first spotted in the wild August 2021. LokiLocker targets English-speaking victims and Windows® PCs. Like its namesake god Loki, this ransomware enters its target destination uninvited and looks for property to steal. The malware then encrypts this data, and demands the victim pay a monetary ransom to restore access.
Even though it’s likely still in beta, LokiLocker has many malicious tricks up its sleeve. These include a “false flag” tactic that may be misleading defenders by placing blame on Iranian threat actors. And despite similarities in name, LokiLocker shouldn’t be confused with the older Locky ransomware family, or the notorious infostealer LokiBot. It shares some similarities with LockBit ransomware, such as registry values and ransom note filename, but it’s not a direct descendant. LokiLocker is written in .NET and protected with NETGuard (modified ConfuserEX) using an additional virtualization protector called KoiVM. Although this technique hasn’t often been seen in use by other threat actors, this may be the start of a new malware trend.
See how BlackBerry prevents LokiLocker attacks in our demo video below, which shows BlackBerry® products going head-to-head with a live sample of LokiLocker.