One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 4300179 |
| Date de publication | 2022-03-17 18:07:18 (vue: 2022-03-18 02:05:25) |
| Titre | LokiLocker Ransomware with Built-in Wiper Functionality |
| Texte | FortiGuard Labs is aware of a report that LokiLocker ransomware is equipped with built-in wiper functionality. The ransomware targets the Windows OS and is capable of erasing all non-system files and overwriting the Master Boot Record (MBR) if the victim opts not to pay the ransom, leaving the compromised machine unusable. According to the report, most victims of LokiLocker ransomware are in Eastern Europe and Asia.Why is this Significant?This is significant because LokiLocker ransomware has built-in wiper functionality which can overwrite the MBR and delete all non-system files on the compromised machine if the victim does not pay ransom in a set time frame. Successfully overwriting the MBR will leave the machine unusable.What is LokiLocker Ransomware?LokiLocker is a .NET ransomware that has been active since as early as August 2021. The ransomware encrypts files on the compromised machines and demands ransom from the victim to recover the encrypted files. The ransomware adds a ".Loki" file extension to the files it encrypted. It also leaves a ransom note in a Restore-My-Files.txt file. The malware is protected with NETGuard, an open-source tool for protecting .NET applications, as well as KoiVM, a virtualizing protector for .NET applications.LokiLocker has a built-in configuration file, which contains information such as the attacker's email address, campaign or affiliate name, Command-and-Control (C2) server address and wiper timeout. Wiper timeout is set to 30 days by default. The value tells the ransomware to wait 30 days before deleting non-system files and overwriting the Master Boot Record (MBR) of the compromised machine. The configuration also has execution options which controls what actions the ransomware should or should not carry out on the compromised machine. The execution options include not wiping the system and the MBR, not encrypting the C Drive and not scanning for and encrypting network shares. The wiping option is set to false by default, however the option can be modified by the attacker.How is LokiLocker Ransomware Distributed?While the current infection vector is unknown, early LokiLocker variants were distributed through Trojanized brute-checker hacking tools. According to the public report, most victims of LokiLocker ransomware are in Eastern Europe and Asia. Fortinet's telemetry indicates the C2 domain was accessed the most from India, followed by Canada, Chile and Turkey.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage:W32/DelShad.GRG!tr.ransomW32/DelShad.GSE!tr.ransomW32/DelShad.GUJ!tr.ransomW32/Filecoder.AKJ!trW32/Generic.AC.171!trW32/PossibleThreatW32/Ramnit.AMSIL/Filecoder.AKJ!trMSIL/Filecoder.AKJ!tr.ransomMSIL/Filecoder_LokiLocker.D!trMSIL/Filecoder.4AF0!tr.ransomMSIL/Filecoder.64CF!tr.ransomPossibleThreatAll known network IOC's are blocked by the FortiGuard WebFiltering client. |
| Envoyé | Oui |
| Condensat | 171 2021 4af0 64cf accessed according actions active address adds affiliate akj all also amsil/filecoder applications are asia attacker august aware because been before blocked boot brute built campaign can canada capable carry checker chile client command compromised configuration contains control controls coverage coverage:w32/delshad current days default delete deleting demands distributed does domain drive early eastern email encrypted encrypting encrypts equipped erasing europe execution extension false file files followed following fortiguard fortinet frame from functionality grg gse guj hacking has how however include india indicates infection information ioc known koivm labs leave leaves leaving loki lokilocker machine machines malware master mbr modified most name net netguard network non not note open option options opts out overwrite overwriting pay protected protecting protector provide public ransom ransommsil/filecoder ransompossiblethreatall ransomw32/delshad ransomw32/filecoder ransomware record recover report restore scanning server set shares should significant since source status successfully such system targets telemetry tells through time timeout tool tools trmsil/filecoder trojanized trw32/generic trw32/possiblethreatw32/ramnit turkey txt unknown unusable value variants vector victim victims virtualizing wait webfiltering well what which why will windows wiper wiping |
| Tags | Ransomware Malware Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.