Ransomware has mysterious preferences – they purposefully bypass computers with the Persian interface language.
Digital Forensics Lab experts from FACCT companies warn on the growth of LokiLocker and BlackBit ransomware activity in Russia. A third of all the victims of these ransomware around the world are in the Russian Federation – 21 companies. The attackers demand a ransom of up to $100,000 (up to 8 million rubles) for data decryption. However, it is important to note that they do not steal information or encrypt files on computers where Persian is selected as the main interface language.
Experts registered the first attacks using LokiLocker in the spring of 2022 in the Middle East, although the ransomware itself appeared in the summer of 2021. Later, attacks using LokiLocker, which is distributed through the partner program RaaS (Ransomware-as-a-Service, “extortion as a service”), were discovered around the world.
In Russia, along with LokiLocker, attackers used a new “related” encryptor under the BlackBit brand to attack medium and small businesses. In terms of its functionality, it is almost identical to LokiLocker, the main difference is only in the naming: the extension is used for encrypted files. blackbit.
Despite the fact that the partners who have adopted LokiLocker and BlackBit do not steal data from their victims and do not upload them to the Data Leak Site (DLS) for further blackmail, FACCT forensics managed to uncover exactly who the ransomware is attacking. The experts used data obtained from incident response and analysis of third-party sources, including the VirusTotal portal.
Since April 2022, LokiLocker and BlackBit have attacked at least 62 companies worldwide, with 21 victims in Russia, according to the Digital Forensics Lab. Basically, these are small and medium-sized businesses from the construction, tourism, and retail sectors.
The initial ransom amount ranges from $10,000 to $100,000, and it depends on the financial capacity of the company and the number of decryption keys purchased by the victim – each encrypted host requires its own unique key.
One of the features of the ransomware is checking the input language – if the malware finds the Persian language (Persian) installed on the computer, it terminates its work. However, the question of the origin of the attackers is still open.
Some researchers believe that the LokiLocker and BlackBit attacks are carried out “under a false flag” in order to make it difficult for researchers to work. At the same time, FACCT experts do not exclude the possibility that the composition of the group may be international, despite the fact that the affiliate program and the first versions of these ransomware were created by native Persian speakers.
FACCT has determined that the average duration of LokiLocker and BlackBit attacks ranges from one day to several days. The attackers launch the attack using compromised remote access services, primarily publicly available RDP (Remote Desktop Protocol) terminal servers. To gain access to the RDP server, attackers can use the selection of logins and passwords or purchase them on dark Internet resources from intermediaries.
Having gained initial access, attackers seek to gain a foothold in the network and obtain privileged credentials, for which they use the well-known and legitimate Mimikatz utility. In the process of reconnaissance, attackers can examine files and documents on hosts to assess the financial ability of the victim, but they do not steal this data.
LokiLocker and BlackBit ransomware are downloaded manually by attackers, usually on weekends or holidays. Previously, attackers try to disable anti-virus software using legitimate utilities. To communicate with victims, hackers use email and the Telegram messenger. If the ransom is not received and the decryptor is not used within 30 days, the ransomware destroys all data on the compromised system.
In light of geopolitical tensions, Russian businesses are increasingly being targeted by cyberattacks, in which ransomware, previously rare in Russia, is playing an increasingly prominent role. However, although LokiLocker and BlackBit attackers do not use sophisticated and innovative methods, their success is due to the careless attitude of businesses to the security of external remote access services, especially publicly accessible terminal servers, which greatly expands the attack possibilities and makes it easier for attackers.