LokiLocker, a relatively new form of ransomware, uses the standard extortion-through-encryption racket but also incorporates disk-wiper functionality.
Double extortion became a hit last year, when ransomware gangs started stealing files before encrypting them to threaten victims with a sensitive data leak if they didn’t pay up.
BlackBerry Threat Intelligence is now warning that LokiLock, first seen in August 2021, now features an “optional wiper functionality” to put pressure on victims in a slightly different way.
Instead of attackers using the threat of leaking a victim’s files to pressure them into paying, LokiLock’s customers threaten to overwrite a victim’s Windows Master Boot Record (MBR), which wipes all files and renders the machine unusable. But that tactic effectively ends all negotiations about payment, of course.
Disk-wiper functionality has come into focus recently because of destructive malware attacks on Ukrainian organizations. The US government fears destructive malware could target organizations in the West in retribution for sanctions against Russia.
Historically, disk-wiper malware has often been favoured by state-sponsored hackers, as was the case in NotPetya, WhisperGate and HermeticWiper – all directly or loosely connected to Russian state-sponsored actors – where ransomware is a decoy for the true destructive intent.
March 17, 2022
By Liam Tung