AttackIQ has released a new attack graph that emulates the behaviors of LokiLocker ransomware, a .NET based strain active since at least mid-August 2021. The malware combines defense evasion and impact techniques, including disabling Task Manager and Windows Firewall, as well as deleting Volume Shadow Copies to hinder detection and prevent restoration. The post Emulating the Systematic LokiLocker Ransomware appeared first on AttackIQ.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

LokiLocker is a .NET-based Ransomware-as-a-Service active since mid-2021 targeting Windows systems. It encrypts files using AES-256 in GCM mode and protects keys with RSA-2048, while also deleting Volume Shadow Copies, disabling Task Manager and Windows Firewall, and optionally wiping the MBR. AttackIQ has released an attack graph emulating LokiLocker's TTPs across three stages: initial access and persistence (scheduled tasks, registry run keys, startup folder), defense evasion and backup removal (disabling security controls, deleting shadow copies), and discovery and encryption (system profiling via native APIs and WMI, filesystem enumeration, file encryption). Security teams can use this emulation in the AttackIQ AEV platform to validate detection and prevention controls against this threat.

Emulating the Systematic LokiLocker Ransomware

[Malware Emulation] LokiLocker ransomware – 2022-03 – Associated Tactics, Techniques and Procedures (TTPs)