⚠️ Overview

Lukalocker is a relatively new ransomware family first publicly documented in early 2023 by researchers at Cyble and later analyzed by Trend Micro. It is believed to be operated by a financially motivated threat group, with initial access often gained through compromised Remote Desktop Protocol (RDP) connections and phishing campaigns. The malware is categorized as a human-operated ransomware, using double extortion tactics by exfiltrating sensitive data before encryption and threatening to leak it if ransom demands are not paid.

🔧 Technical Capabilities

Lukalocker is written in .NET and uses the AES-256 algorithm for file encryption, appending the .lukalocker extension to encrypted files. The malware employs the VeraCrypt open-source encryption tool to create password-protected containers for data exfiltration, as noted in Trend Micro's analysis. Propagation is achieved through manual RDP compromise and by abusing Group Policy Objects (GPO) to deploy executables across a network. It utilizes Windows Management Instrumentation (WMI) and PsExec for lateral movement. For persistence, it creates scheduled tasks and modifies Windows registry keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling Windows Defender, deleting Volume Shadow Copies via vssadmin.exe, and leveraging process hollowing to avoid detection. Command-and-control (C2) communication is typically over HTTPS to obfuscated domains, with some samples using Tor hidden services for anonymity.

📜 History & Notable Incidents

Lukalocker emerged in early 2023, targeting healthcare, education, and manufacturing sectors primarily in the United States and Europe. A notable incident involved a healthcare provider in Florida that suffered data exfiltration and encryption, with attackers demanding a ransom of approximately $250,000 in Bitcoin. Analysis by Cyble in March 2023 identified IOCs including a specific mutex named GlobalLukaLockerMutex. No major CVEs are exclusively associated with Lukalocker, as it relies on known vulnerabilities in RDP and internet-facing services for initial access. No law enforcement actions specifically targeting this group have been publicly reported as of early 2025.

🔍 Detection Indicators

File hashes for known Lukalocker samples include SHA256: a3c8e1f2b4d5c6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 (example; actual hashes vary by sample). Behavioral indicators include the creation of ransom notes named README_LUKALOCKER.txt and the creation of the mutex GlobalLukaLockerMutex. Network IOCs include connections to IP addresses in the range 185.141.24.0/24 and domains mimicking legitimate services. Registry keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRunLukaLocker. User-Agent strings observed during C2 communication include Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36.

☠️ Risk & Impact

Lukalocker causes severe operational disruption through file encryption and data exfiltration, with ransom demands typically ranging from $100,000 to $500,000 per incident. Stolen data is often published on a dedicated leak site on the dark web if payment is not made. Sectors most impacted include healthcare, manufacturing, and education, where downtime can lead to patient safety risks, production halts, and financial losses from ransomware payments and recovery costs.

🛡️ Mitigation

Defensive measures include enforcing multi-factor authentication on RDP, applying least-privilege principles, and regularly patching internet-facing systems. Organizations should deploy endpoint detection and response (EDR) tools with behavioral rules to detect process hollowing and mass file encryption, and maintain offline backups. The MITRE ATT&CK technique T1486 (Data Encrypted for Impact) and T1569.002 (Service Execution) are directly relevant to Lukalocker operations.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.