Co-authored by Marc RiveroLopez.
This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis.
The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor in an early stage of development used the same techniques of distribution as other players in the ransomware landscape. The design of the ransomware note reminded us of the old times of Cerber ransomware, a very well impacted design to force the user to pay the rescue.
Thanks to initiatives like the ‘No More Ransom’ project, one of the partners involved has already provided a valid decryptor to restore files encrypted by LooCipher.
Based on the data we manage, we detected LooCipher infections in the following regions:
Based on the analysis we performed, this ransomware was delivered through a DOC file. The content and techniques used with this MalDoc are quite simple compared to other doc files used to spread malware, such as Emotet. No special social engineering techniques were applied; the authors only put a simple message on it – “Enable macros”.
The file is prepared to download LooCipher from a remote server upon opening the file. We can see the Sub AutoOpen function as a macro in the document:
LooCipher will start its encryption routine using a predefined set of characters, creating a block of 16 bytes and using the local system hour:
The ransomware will use the AES-ECB encryption algorithm in the process and the key is the same for all the files which facilitates the file recovery process. Other ransomware families use a different key for each file to avoid the possibility of a brute force attack discovering the key used during the infection.
In the encryption process, the ransomware will avoid 3 special folders in the system so as to not break their functionality.
Encrypting key files and folders was one of the mistakes we highlighted in our analysis of LockerGoga; that ransomware was completely breaking the functionality of the system. Some binaries found were encrypting all the system, including the LockerGoga binary file.
Regarding the extensions that LooCipher will search and encrypt in the system, the list is hardcoded inside the binary:
It is quite interesting see how LooCipher searches for extensions that are not present in Windows systems like “.dmg.” This suggests that the authors may just be going to code sites to find extension lists.
In the analysis we found a PDB reference:
It is interesting to note that the reference found contains Spanish words, as if the user was using folders named in Spanish, however, the system is configured in English. We currently have no idea why this is so, but it is curious.
BTC payment is the method chosen by LooCipher authors to get money from the victims. So, at the end of the file’s encryption, the ransomware will show a rescue note to the user:
LooCipher decryptor will pop up in the system as well with a specific countdown:
In the ransom note LooCipher says the BTC address is specifically generated for the user but that is not true; all the BTC addresses we have seen are hardcoded in the binary:
This is another special characteristic for this ransomware. Normally, this workflow is providing an email address to contact the authors so they can provide the instructions to the victim, or at least a BTC address to make payment (if there is not a unique BTC address provided to every victim), something that is the main difference between RaaS and one-shot campaigns.
If we apply static analysis in the binaries we have, the same bundle of BTC addresses is included across most that we spot in the wild:
None of the BTC addresses found regarding LooCipher showed any transactions so we believe the authors did not monetize the campaign with the binaries we analyzed.
LooCipher and Network Traffic:
In the encryption process, LooCipher will contact the C2 server and send information about the victim:
The data sent to the server is:
Here, a copy of the network traffic could help the user to know the encryption key used.
Decryptor Fallback Mechanism Implemented by LooCipher
The LooCipher authors provide a fallback mechanism to help victims access the instructions and the decryptor again, in case they close the LooCipher window when it appears in the system after encrypting the files:
The mechanism sees the LooCipher binary uploaded to the Mega platform. In case the user wants to get the BTC address or decrypt the files after making the payment, they can download this binary and use it. If the files were previously encrypted by LooCipher they would not be encrypted again according to the ransomware’s authors.
I’m Infected by LooCipher. How Can I Get my Files Back?
McAfee is one of the founders and contributors of the ‘No More Ransom’ project. One of our fellow stakeholders created a decryptor for all the files encrypted by LooCipher:
So, if you are infected with LooCipher, it is possible get your files back.
LooCipher authors are not a sophisticated actor compared to other families like Ryuk, LockerGoga or REVil. They tried to spread their ransomware combining the infection with an Office file with a simple macro.
It will be impossible for the authors to come back to the scene if they do not change how the ransomware works.
The McAfee ATR Team advises against paying the ransomware demands and, instead, recommends:
- Saving a copy of your encrypted files – sometimes in the future a decryptor may be released
- Having a solid backup workflow in the company
- Implementing best practices in terms of Cybersecurity
We uploaded a YARA rule to detect almost all the samples observed in the wild.
MITRE ATT&CK Coverage:
- Defense Evasion
- Network Service Scanning
- System Information Discovery
- Data Compressed
- RDN/Generic Downloader.x
About the Author
Categories: McAfee Labs