LokiLocker ransomware crew bursts onto the scene

A newly disclosed ransomware operation is posing a threat to enterprises already saddled with a daunting threat landscape.

According to a BlackBerry Threat Intelligence report, the emerging cybercrime group is running the tried-and-true ransomware-as-a-service (RaaS) model, where operators farm out the dirty work of breaking into networks and installing the malware before handing it off for collections. BlackBerry referred to the group as "LokiLocker," noting the outfit appears to use tricks and disguises, much like the mythic Norse god Loki.

BlackBerry said LokiLocker was first detected in the wild in August 2021 and was initially distributed in specialized brute-force hacking tools that attacked consumer accounts on services like Spotify and PayPal. The group expanded and now includes approximately 30 affiliates that now target English-speaking Windows systems within enterprises. When victims are slow to pay out the ransom demand, the attackers go a step further and delete the encrypted data.

What is interesting about this group, according to researchers at BlackBerry, is how it looks to hide its tracks. At first glance, the researchers thought the LokiLocker crew was one of a number of threat groups with operations based in Iran.

One aspect that jumped out to the researchers was the English in notes for the LokiLocker code. Unlike Chinese and Russian outfits that can be prone to grammar mistakes, the LokiLocker crew seemed to possess a solid grasp of the language.

This led researchers to look for connections to groups in Iran, where developers are more sound in English. From there, traces were found of other Iranian ransomware operators.

"Although we've been unable to reliably assess exactly where the LokiLocker RaaS originates, it is worth mentioning that all the embedded debugging strings are in English, and -- unlike the majority of malware originating from Russia and China -- the language is largely free of mistakes and misspellings," BlackBerry researchers explained in a blog post.

"Also, perhaps more interestingly, some of the cracking tools used to distribute the very first samples of LokiLocker seem to be developed by an Iranian cracking team called AccountCrack."

While Iran would seem to be the obvious culprit for this wave of ransomware, it's possible that the dictatorship is not really at fault. The BlackBerry researchers note that just because Iran-based ransomware is being used, groups in that area might not be the ones pulling the strings.

"Some of the cracking tools used to distribute the very first samples of LokiLocker seem to be developed by an Iranian cracking team called AccountCrack. Moreover, at least three of the known LokiLocker affiliates use unique usernames that can be found on Iranian hacking channels," BlackBerry explained.

"It's not entirely clear whether this means they truly originate from Iran or that the real threat actors are trying to cast the blame on Iranian attackers."

Should best practices such as updating software and avoiding suspicious or unsolicited emails fail against LokiLocker attacks, BlackBerry is advising companies to contact law enforcement and immediately report any suspected ransomware attacks.