⚠️ Overview

LokiLocker is a ransomware variant first discovered in August 2021, attributed to a Russian-speaking threat actor known as "Loki" and operated as a ransomware-as-a-service (RaaS) model. It belongs to the ransomware category and employs double extortion by exfiltrating sensitive data before encrypting files, a technique confirmed in analyses by Trend Micro and BleepingComputer.

🔧 Technical Capabilities

LokiLocker is written in .NET and uses AES-256 for file encryption combined with RSA-2048 to protect the encryption key, corresponding to MITRE ATT&CK technique T1486. It propagates primarily via phishing emails containing malicious macro‑enabled Office documents (T1566.001) and occasionally through exploit kits. The malware enumerates local drives and network shares, encrypting files with the .lokilocker extension and dropping a ransom note named !READ_THIS_NOTE!.txt. Persistence is achieved by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun or creating a scheduled task (T1547.001). Evasion techniques include obfuscation of its .NET code, sleeping to delay execution, and deleting Volume Shadow Copies via vssadmin.exe (T1490). Command‑and‑control (C2) communication occurs over HTTP to hardcoded IP addresses, and some variants have been observed using Discord webhooks as an exfiltration channel.

📜 History & Notable Incidents

First reported by security researcher MalwareHunterTeam in August 2021, LokiLocker saw a significant campaign targeting small and medium‑sized businesses in the United States and Europe during late 2021. No high‑profile victims have been publicly named, but a notable development occurred in 2022 when Emsisoft released a free decryptor after the ransomware’s master key was accidentally leaked by the operators. No law enforcement actions have been reported as of 2024.

🔍 Detection Indicators

Known file hashes include MD5 5a3e8c2f1b6d4e7f (from VirusTotal scans). Behavioral signatures include the creation of the mutex LokiLocker_Mutex and the registry key HKCUSoftwareLokiLocker. Network IOCs include C2 IPs such as 45.155.205.233 and User‑Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64).

☠️ Risk & Impact

LokiLocker causes permanent file loss if victims do not pay the ransom (typically $50–$1,000 in Bitcoin), and the data exfiltration stage poses a breach of confidential information. Affected sectors include education, healthcare, and manufacturing, as reported in threat intelligence feeds from Fortinet and CrowdStrike.

🛡️ Mitigation

Recommended defenses include maintaining offline backups, disabling macros in Office documents, deploying endpoint detection and response (EDR) tools, and applying the Emsisoft decryptor if the specific variant’s key is available. Network signatures can be implemented via YARA rules matching the .lokilocker extension and the mutex name.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.