The digital universe beware, as a new ransomware threat is active and in full swing. The scheme also uses the pattern of device compromise followed by extortion via encryption. But instead of having their data leaked, anyone who doesn’t pay the ransom will lose their files forever.
Entitled of LokiLockthe threat was first reported in August 2021. But according to cybersecurity firm BlackBerry Threat Intelligence, the malware now features an “optional cleanup feature” to put pressure on victims in a different way.
How the new ransomware works
In a “traditional” ransomware scam, the victim has their device compromised by malware that encrypts the device’s files. Cybercriminals then charge a ransom — usually in cryptocurrencies — to return the data. If the victim does not pay, the information is leaked.
In this new method with LokiLock, the beginning of the process is similar: infected device, encrypted files and ransom demand. But instead of using the data leak as blackmail, non-payment will culminate in the deletion of all files from the machine.
According to Blackberry, the self-destructive malware deletes all of the victim’s files if there is no payment. It then tries to replace the Windows Master Boot Record and after the device restarts it displays the message: “You didn’t pay us. We deleted all your files 🙂 Loki locker ransomware_”.
The new approach is curious. A survey by ThycoticCentrify revealed that 83% of American respondents who were victims of ransomware in 2020 paid the ransom. But in this recent modality, deleting files ends any kind of negotiation — which doesn’t seem very advantageous.
“With a single blow, everyone loses,” notes BlackBerry.
The move is now focused on finding out more details about this new ransomware threat. There is still no information on how many victims have already been impacted by the malware. It is known to target Windows computers and that Ukrainian organizations have been affected.
While there was an initial suspicion that LockiLock was of Russian origin, there are indications that it was developed by Iranian hackers and designed to target English-speaking victims.
In any case, it is good for organizations to hurry to find ways to mitigate the malware, as it may “only” be in a beta version.