{
	"id": "fb9dec95-5ca9-41a2-93a2-640a90fb6029",
	"created_at": "2026-04-06T00:18:16.802205Z",
	"updated_at": "2026-04-10T13:11:35.829869Z",
	"deleted_at": null,
	"sha1_hash": "47177c78ced001dd22666fc98e8ce4497d3efb7b",
	"title": "LokiLocker Ransomware May Use False Flag to Avoid Identification -",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44982,
	"plain_text": "LokiLocker Ransomware May Use False Flag to Avoid\r\nIdentification -\r\nBy D. Howard Kass\r\nPublished: 2022-03-23 · Archived: 2026-04-05 21:09:36 UTC\r\nA relatively new ransomware-as-a-service (RaaS) family known as LokiLocker is targeting Microsoft Windows\r\nusers globally through a small, distributed network of affiliates, BlackBerry threat researchers said.\r\nThe malware, most likely in a beta stage release, encrypts files similar to other notables but also may have the\r\nability to display a false flag tactic that blames Iranian actors, BlackBerry said in a recent blog post. The security\r\nprovider compared LokiLocker to its namesake in Norse mythology, which often was an enemy to other gods and\r\nalso acted as a hijacker of sorts.\r\nLokiLocker was first seen in the wild in mid-August 2021. This LokiLocker is not a reconstituted version of the\r\nolder ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer. Most of\r\nthe attacks thus far have occurred in Eastern Europe and Asia but there are other geographic instances as well. At\r\nthis point, BlackBerry has not been able to determine the hackers' country of origin.\r\nLokiLocker Ransomware Tactics\r\nThis is how LokiLocker works:\r\nThe bug enters the victim’s network, encrypts files, and demands a monetary ransom to restore access.\r\nThe malware is written in .NET and protected with NETGuard (modified ConfuserEX) using an additional\r\nvirtualization plugin called KoiVM that is publicly available on GitHub but not widely used in malware.\r\nEncrypts victim’s files on local drives and network shares with a standard combination of AES for file\r\nencryption and RSA for key protection.\r\nThe crew then asks the victim to email them to obtain instructions on how to pay the ransom.\r\nShould the victim refuse to pay, LokiLocker also has wiper functionality to delete non-system files to make the\r\nsystem unusable. “With a single stroke, everyone loses,” BlackBerry’s researchers said. At this point, there is no\r\nfree tool to decrypt files encrypted by LokiLocker.\r\nLokiLocker is spread by about 30 vetted affiliates, based on samples that BlackBerry has found in the wild. Each\r\naffiliate is identified by a chosen username and is assigned a unique chat-ID number, BlackBerry said. It’s\r\npossible that the LokiLocker version via brute-checker hacking tools used to automate validation of stolen\r\naccounts and gain access to other accounts with credential stuffing. This may be part of a beta testing stage, which\r\nwould explain the current ties with so few affiliates, the analysts said.\r\nOf particular interest, some of the cracking tools used to distribute the first samples of LokiLocker seem to be\r\ndeveloped by an Iranian cracking team called AccountCrack. Still, it's not clear if the bug actually originates from\r\nhttps://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/\r\nPage 1 of 3\n\nIran or the authors are trying to feint tracking.\r\n“LokiLocker ransomware is adept at causing mayhem on the user’s endpoints, and, like its namesake Norse god,\r\ncan prove to be vengeful and destructive if not appeased with a (financial) offering,” BlackBerry wrote.\r\n“LokiLocker’s use of KoiVM as a virtualizing protector for .NET applications is an unusual method of\r\ncomplicating analysis. We haven’t seen a lot of other threat actors using it yet, so this may be the start of a new\r\ntrend.”\r\nBlackBerry is cautioning victims not to pay a ransom should an infection strike them. “Quite apart from the fact\r\nthat every victim who pays the ransom perpetuates the global growth of ransomware, remember that you’re\r\ndealing with criminals here, and there is no guarantee that you’ll regain access to your data, even if you pay up,”\r\nBlackBerry wrote. “Even if your data is restored, there is no way to know whether the threat actor planted a\r\nbackdoor somewhere on your machine, for easy future access. After all, people who pay one ransom can often be\r\npersuaded to pay another.”\r\nHow to Protect Against Ransomware Attacks\r\nThe FBI’s general guidance vs. ransomware attacks includes these 10 recommendations:\r\n1. Back-up critical data offline.\r\n2. Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This\r\ninformation should not be accessible from the compromised network.\r\n3. Secure back-ups and ensure data is not accessible for modification or deletion from the system where the\r\ndata resides.\r\n4. Use multi-factor authentication with strong passwords, including for remote access services.\r\n5. Keep computers, devices and applications patched and up-to-date.\r\n6. Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and\r\nchange passwords and settings.\r\n7. Consider adding an email banner to emails received from outside your organization.\r\n8. Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\r\n9. Audit user accounts with administrative privileges and configure access controls with least privilege in\r\nmind.\r\n10. Implement network segmentation.\r\nHow MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks\r\nIf a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions:\r\n1. Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and\r\nAnalysis Center (MS-ISAC) Joint Ransomware Guide.\r\n2. Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of\r\nmalware.\r\n3. Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S.\r\nSecret Service Field Office.\r\nhttps://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/\r\nPage 2 of 3\n\n4. Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering\r\nand Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia,\r\nCanada, New Zealand, and the United Kingdom.\r\nGet essential knowledge and practical strategies to protect your organization from ransomware attacks.\r\nSource: https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/\r\nhttps://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/\r\nPage 3 of 3\n\n https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/    \n4. Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering\nand Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia,\nCanada, New Zealand, and the United Kingdom.   \nGet essential knowledge and practical strategies to protect your organization from ransomware attacks.\nSource: https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/     \n   Page 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/"
	],
	"report_names": [
		"lokilocker-ransomware-may-use-false-flag-to-avoid-identification"
	],
	"threat_actors": [],
	"ts_created_at": 1775434696,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47177c78ced001dd22666fc98e8ce4497d3efb7b.pdf",
		"text": "https://archive.orkl.eu/47177c78ced001dd22666fc98e8ce4497d3efb7b.txt",
		"img": "https://archive.orkl.eu/47177c78ced001dd22666fc98e8ce4497d3efb7b.jpg"
	}
}