{
	"id": "79aead57-579d-47fa-8cc3-7c3746a7e4f5",
	"created_at": "2026-04-06T00:11:24.604748Z",
	"updated_at": "2026-04-10T13:11:50.943048Z",
	"deleted_at": null,
	"sha1_hash": "63dd110f743272f2d484420a6fc642f524ddde54",
	"title": "LokiLocker ransomware family spotted with built-in wiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41437,
	"plain_text": "LokiLocker ransomware family spotted with built-in wiper\r\nBy Jeff Burt\r\nPublished: 2022-03-16 · Archived: 2026-04-05 17:46:31 UTC\r\nBlackBerry security researchers have identified a ransomware family targeting English-speaking victims that is\r\ncapable of erasing all non-system files from infected Windows PCs.\r\nLokiLocker, a ransomware-as-a-service (RaaS) family with possible origins in Iran, was first seen in the wild in\r\nmid-August 2021, BlackBerry Threat Intelligence researchers write in a blog post today.\r\n\"It shouldn't be confused with an older ransomware family called Locky, which was notorious in 2016,\r\nor LokiBot, which is an infostealer,\" they say. \"It shares some similarities with the LockBit ransomware (registry\r\nvalues, ransom note filename), but it doesn't seem to be its direct descendant.\"\r\nThey describe LokiLocker – named after Loki, the trickster god in Norse lore – as a \"limited-access ransomware-as-a-service scheme that appears to be sold to a relatively small number of carefully vetted affiliates behind closed\r\ndoors.\" Affiliates are identified by a chosen username and assigned a unique chat-ID number. The researchers\r\nestimate there are about 30 different such affiliates across the LokiLocker samples that they have found in the\r\nwild.\r\nLike other cyber threats, such as distributed denial-of-services (DDoS), ransomware has evolved in recent years to\r\ninclude bad actors offering to lease their malware as a service to other criminals, enabling those less skilled to fire\r\noff relatively sophisticated campaigns via someone else's malicious code and backend infrastructure.\r\nMcAfee last year issued a threat report that showed a significant drop in the incidence of ransomware in the first\r\nquarter of 2021. However, the decline had less to do with cybercriminals embracing other attack methods and\r\nmore with many of them using RaaS campaigns that target fewer but larger organizations that bring in more\r\nmoney than mass multi-target ransomware attacks.\r\nBlackBerry researchers say there are victims around the world, which isn't surprising given that different affiliates\r\nmay have different targeting patterns. Most so far are in Eastern Europe and Asia.\r\nThe researchers are still trying to determine the origins of the RaaS family but wrote that all the embedded\r\ndebugging strings are in English and mostly free of the kinds of mistakes and misspellings typically seen in\r\nmalware coming from Russia or China. Some of the earliest known LokiLocker affiliates have usernames that are\r\nfound exclusively on Iranian hacking channels.\r\n\"Also, perhaps more interestingly, some of the cracking tools used to distribute the very first samples of\r\nLokiLocker seem to be developed by an Iranian cracking team called AccountCrack,\" says Blackberry.\r\n\"Moreover, at least three of the known LokiLocker affiliates use unique usernames that can be found on Iranian\r\nhacking channels. It's not entirely clear whether this means they truly originate from Iran or that the real threat\r\nactors are trying to cast the blame on Iranian attackers.\"\r\nhttps://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/\r\nPage 1 of 3\n\nIn addition, the malware appears to contain a list of countries to exclude from encryption and in the samples the\r\nBlackBerry researchers have seen, the only country on the list is Iran.\r\n\"It seems that this functionality is not yet implemented, as there are no references to this array in the code,\" the\r\nresearchers write. \"However, like the references to Iranian attackers and hacking tools, it could just as well be a\r\nfalse flag meant to misdirect our attention\" and put blame on Iran.\r\nThe malware is written in .NET and protected with NETGuard – a commercial product that the researchers call a\r\n\"modified ConfuserEX,\" an open-source tool for protecting .NET applications – while also using KoiVM, a\r\nvirtualization plugin. It used to be a licensed commercial protection for .NET applications, but after its code was\r\nopen-sourced in 2018, it became publicly available on GitHub.\r\nRussia-linked attackers breach NGO by exploiting MFA, PrintNightmare vuln\r\nUK regulator puts NortonLifeLock merger with Avast on ice\r\nThe Windows malware on Ukraine CERT's radar\r\nOpenSSL patches crash-me bug triggered by rogue certs\r\nThe use of KoiVM as a protector is an unusual method for complicating analysis of the malware that hasn't been\r\nseen with many other threat actors and may mark the start of a new trend, according to BlackBerry.\r\nThe ransomware uses a combination of AES for file encryption and RSA for key protection to encrypt documents\r\non victims' local hard drives and network shares. It then tells the victims to email the attackers to receive\r\ninstructions for paying the ransom.\r\nAn early sample of the ransomware was distributed inside trojanized brute-checker hacking tools, including\r\nPayPal BruteCheck, Spotify BruteChecker, PiaVNP Brute Checker by ACTEAM, and FPSN Checker by Angeal.\r\nSuch tools are used to automate validation of stolen accounts and get access to other accounts through credential\r\nstuffing, in which hackers use usernames and passwords stolen from one website to log into other websites,\r\nsometimes using a botnet to accelerate the process.\r\n\"It's possible that the LokiLocker version distributed with these hacking tools constituted some kind of beta testing\r\nphase before the malware was offered to a wider range of affiliates,\" the researchers say.\r\nLike other ransomware, LokiLocker puts a time limit for paying the ransom and will make the system unusable if\r\nthe payment isn't made. However, if configured to do so, the malware also includes a wiper function that will\r\nerase the data if the payment deadline passes.\r\n\"It will delete files on all of the victim's drives, except for the system files, and it will also try to overwrite the\r\nMaster Boot Record (MBR) of the system drive to render the system unusable,\" the researchers write, adding that\r\nthe victims are greeted with this message: \"You did not pay us. So we deleted all your files :)\"\r\nPresumably this is so that there's no chance at all to recover the scrambled documents, save from backups. In\r\naddition, after overwriting the MBR, the ransomware will try to crash the system by forcing a Blue Screen of\r\nDeath.\r\nhttps://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/\r\nPage 2 of 3\n\nThe wiper function is part of an escalation by ransomware gangs in recent years to encourage victims to pay the\r\nransom by including additional threats beyond just refusing to decrypt the files, such as erasing data or leaking\r\nstolen files on the dark web.\r\nThere are no free tools to decrypt files captured by LokiLocker and BlackBerry – like the FBI and other security\r\nauthorities – urge victims not to pay the ransom, arguing that it adds fuel to the global growth in ransomware and\r\nthere is no guarantee they will get their data returned. Also, even if it is returned, the hackers could have put a\r\nbackdoor into the system, making the organization more vulnerable to future attacks.\r\n\"After all, people who pay one ransom can often be persuaded to pay another,\" the team at BlackBerry concludes.\r\n®\r\nSource: https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/\r\nhttps://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/"
	],
	"report_names": [
		"blackberry_lokilocker_ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63dd110f743272f2d484420a6fc642f524ddde54.pdf",
		"text": "https://archive.orkl.eu/63dd110f743272f2d484420a6fc642f524ddde54.txt",
		"img": "https://archive.orkl.eu/63dd110f743272f2d484420a6fc642f524ddde54.jpg"
	}
}