The BlackBerry Threat Intelligence team has discovered a new type of ransomware. Known as LokiLocker, the ransomware encrypts the data on affected PCs and then demands payment. This is par for the course for ransomware, but LokiLocker adds another wrinkle to its attack method. If a PC owner refuses to pay the ransom, all data on the computer will be deleted.
This tricky tactic is likely what inspired the Loki-based name for the new ransomware family. LokiLocker was first discovered in mid-August 2021. The threat of data deletion isn’t new to ransomware, but it’s also not the most common form of attack. Malicious actors often threaten to release private information from the owner of a system unless a fee is paid.
The location of LokiLocker’s origin is unknown, but BlackBerry Threat Intelligence noted that the ransomware is written in English, which is a bit unusual.
“Although we’ve been unable to reliably assess exactly where the LokiLocker RaaS originates, it is worth mentioning that all the embedded debugging strings are in English, and – unlike the majority of malware originating from Russia and China – the language is largely free of mistakes and misspellings,” explained BlackBerry.
It’s also suspected that some of the cracking tools used in LokiLocker were made by the Iranian cracking team called AccountCrack. At least three of the known LokiLocker affiliates have usernames used in Iranian hacking channels, according to BlackBerry Threat Intelligence. These facts do not confirm that LokiLocker originates in Iran, however.