{ "id": "fd691b0f-4732-44fd-ae4b-1692ec46102c", "created_at": "2026-04-06T00:15:28.486701Z", "updated_at": "2026-04-10T03:21:25.50465Z", "deleted_at": null, "sha1_hash": "2e99f63146f04f787b00c2cd69f3a8a39f4c61de", "title": "LokiLocker, a Ransomware Similar to BlackBit Being Distributed in Korea - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2943096, "plain_text": "LokiLocker, a Ransomware Similar to BlackBit Being Distributed\r\nin Korea - ASEC\r\nBy ATCP\r\nPublished: 2023-05-08 · Archived: 2026-04-05 12:35:17 UTC\r\nAhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker\r\nransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits\r\nhave been mentioned before in a previous blog post. A summary of these similarities is as follows.\r\nSimilarities Between LokiLocker and BlackBit\r\nDisguised as svchost.exe\r\nSame obfuscation tool used (.NET Reactor)\r\nRegistered to the task scheduler and registry (persistence of malware)\r\nRansom note and the new file icon image set after encryption\r\nDisguised as svchost.exe\r\nThe BlackBit ransomware, which was covered in a previous post, disguised itself as a svchost.exe file. Similarly,\r\nthe recently discovered LokiLocker ransomware was also found disguised as a svchost.exe file.\r\nhttps://asec.ahnlab.com/en/52570/\r\nPage 1 of 6\n\nSame packer used (.NET Reactor)\r\nA .NET Reactor was used to obfuscate the code and deter analysis. By looking at the unpacked BlackBit\r\nransomware, it becomes clear that the malware was derived from the LokiLocker ransomware.\r\nhttps://asec.ahnlab.com/en/52570/\r\nPage 2 of 6\n\nhttps://asec.ahnlab.com/en/52570/\r\nPage 3 of 6\n\nRegistered to the task scheduler and registry (persistence of malware)\r\nSimilarities have also been found in their behavioral aspects. The following figure shows that the LokiLocker\r\nransomware registers itself to the task scheduler and registry under the name”Loki” before it starts its encryption\r\nprocess. The ransomware also generates its ransom note before it begins encrypting. Afterward, it carries out\r\nactions such as deleting volume shadows to prevent recovery, as well as behaviors aimed at obstructing detection\r\nand leaking information.\r\nRansom note and the new file icon image set after encryption\r\nhttps://asec.ahnlab.com/en/52570/\r\nPage 4 of 6\n\nAfter successfully infecting a system, LokiLocker creates a ransom note named Restore-My-Files.txt in each\r\ninfected folder path, containing the message below. The ransom note and the icon of the infected files that have\r\nbeen confirmed were also found to be very similar to those of the BlackBit ransomware.\r\nAhnLab’s anti-malware software, V3, detects and responds to LokiLocker ransomware with a variety of detection\r\npoints, including file detection and behavior-based detection. To prevent ransomware infection, users must be\r\ncautious of running files from unknown sources and make sure to scan suspicious files with an anti-malware\r\nprogram while also keeping the program updated to the latest version. AhnLab’s anti-malware software, V3,\r\ndetects and blocks the malware using the following aliases:\r\n[File Detection]\r\nRansomware/Win.Loki.C5421356 (2023.05.03.00)\r\n[Behavior Detection]\r\nRansom/MDP.Delete.M2117\r\nMD5\r\nd03823a205919b6927f3fa3164be5ac5\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/52570/\r\nPage 5 of 6\n\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/52570/\r\nhttps://asec.ahnlab.com/en/52570/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/52570/" ], "report_names": [ "52570" ], "threat_actors": [], "ts_created_at": 1775434528, "ts_updated_at": 1775791285, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e99f63146f04f787b00c2cd69f3a8a39f4c61de.pdf", "text": "https://archive.orkl.eu/2e99f63146f04f787b00c2cd69f3a8a39f4c61de.txt", "img": "https://archive.orkl.eu/2e99f63146f04f787b00c2cd69f3a8a39f4c61de.jpg" } }