Analysis of LooCipher, a New Ransomware Family Observed This Year

Initial Discovery

This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis.

The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor in an early stage of development used the same techniques of distribution as other players in the ransomware landscape. The design of the ransomware note reminded us of the old times of Cerber ransomware, a very well impacted design to force the user to pay the rescue.

Thanks to initiatives like the ‘No More Ransom’ project, one of the partners involved has already provided a valid decryptor to restore files encrypted by LooCipher.

McAfee Telemetry

Based on the data we manage, we detected LooCipher infections in the following regions:

Campaign Analysis:

Based on the analysis we performed, this ransomware was delivered through a DOC file. The content and techniques used with this MalDoc are quite simple compared to other doc files used to spread malware, such as Emotet. No special social engineering techniques were applied; the authors only put a simple message on it – “Enable macros”.

The file is prepared to download LooCipher from a remote server upon opening the file. We can see the Sub AutoOpen function as a macro in the document:

LooCipher will start its encryption routine using a predefined set of characters, creating a block of 16 bytes and using the local system hour:

The ransomware will use the AES-ECB encryption algorithm in the process and the key is the same for all the files which facilitates the file recovery process. Other ransomware families use a different key for each file to avoid the possibility of a brute force attack discovering the key used during the infection.

In the encryption process, the ransomware will avoid 3 special folders in the system so as to not break their functionality.

Encrypting key files and folders was one of the mistakes we highlighted in our analysis of LockerGoga; that ransomware was completely breaking the functionality of the system. Some binaries found were encrypting all the system, including the LockerGoga binary file.

Regarding the extensions that LooCipher will search and encrypt in the system, the list is hardcoded inside the binary:

It is quite interesting see how LooCipher searches for extensions that are not present in Windows systems like “.dmg.” This suggests that the authors may just be going to code sites to find extension lists.

In the analysis we found a PDB reference:

\\Users\\Usuario\\Documents\\Proyectos\\sher.lock\\Debug\\LooCipher.pdb

It is interesting to note that the reference found contains Spanish words, as if the user was using folders named in Spanish, however, the system is configured in English. We currently have no idea why this is so, but it is curious.

BTC payment is the method chosen by LooCipher authors to get money from the victims. So, at the end of the file’s encryption, the ransomware will show a rescue note to the user:

LooCipher decryptor will pop up in the system as well with a specific countdown:

In the ransom note LooCipher says the BTC address is specifically generated for the user but that is not true; all the BTC addresses we have seen are hardcoded in the binary:

This is another special characteristic for this ransomware. Normally, this workflow is providing an email address to contact the authors so they can provide the instructions to the victim, or at least a BTC address to make payment (if there is not a unique BTC address provided to every victim), something that is the main difference between RaaS and one-shot campaigns.

If we apply static analysis in the binaries we have, the same bundle of BTC addresses is included across most that we spot in the wild:

None of the BTC addresses found regarding LooCipher showed any transactions so we believe the authors did not monetize the campaign with the binaries we analyzed.

LooCipher and Network Traffic:

In the encryption process, LooCipher will contact the C2 server and send information about the victim:

The data sent to the server is:

Here, a copy of the network traffic could help the user to know the encryption key used.

Decryptor Fallback Mechanism Implemented by LooCipher

The LooCipher authors provide a fallback mechanism to help victims access the instructions and the decryptor again, in case they close the LooCipher window when it appears in the system after encrypting the files:

The mechanism sees the LooCipher binary uploaded to the Mega platform. In case the user wants to get the BTC address or decrypt the files after making the payment, they can download this binary and use it. If the files were previously encrypted by LooCipher they would not be encrypted again according to the ransomware’s authors.

I’m Infected by LooCipher. How Can I Get my Files Back?

McAfee is one of the founders and contributors of the ‘No More Ransom’ project. One of our fellow stakeholders created a decryptor for all the files encrypted by LooCipher:

So, if you are infected with LooCipher, it is possible get your files back.

Conclusions:

LooCipher authors are not a sophisticated actor compared to other families like Ryuk, LockerGoga or REVil. They tried to spread their ransomware combining the infection with an Office file with a simple macro.

It will be impossible for the authors to come back to the scene if they do not change how the ransomware works.

The McAfee ATR Team advises against paying the ransomware demands and, instead, recommends:

  • Saving a copy of your encrypted files – sometimes in the future a decryptor may be released
  • Having a solid backup workflow in the company
  • Implementing best practices in terms of Cybersecurity

YARA Rule

We uploaded a YARA rule to detect almost all the samples observed in the wild.

MITRE ATT&CK Coverage:

  • Hooking
  • Defense Evasion
  • Network Service Scanning
  • System Information Discovery
  • Data Compressed

McAfee Coverage:

  • Artemis!02ACC0BC1446
  • Artemis!12AA5517CB7C
  • Artemis!1B1335F20CD0
  • Artemis!362AB3B56F40
  • Artemis!64FCC1942288
  • Artemis!8F421FE340E7
  • Artemis!983EF1609696
  • Artemis!A11724DBE1D6
  • Artemis!A7ABF760411F
  • Artemis!B9246AA9B474
  • Artemis!F0D98A6809C1
  • McAfee-Ransom-O
  • Ransomware-GNY!3B9A8D299B2A
  • Ransomware-GNY!66571E3C8036
  • Ransomware-GNY!9CF3C9E4A9B5
  • Ransomware-GNY!A0609D7AD404
  • Ransomware-GNY!A77FDEFE40BE
  • Ransomware-GNY!A9B6521FF980
  • Ransomware-GNY!D3CE02AD4D75
  • Ransomware-GNY!DC645F572D1F
  • RDN/Generic Downloader.x
  • RDN/Generic.ole

IOCs

e1200cb52d52855abfbc0c2dddefdf737fe187a8

b4380cc94fa7319877c381f76c260fcc4e3a7078

3aa1a0fa9db50294873335144b42562af23d7b27

7e1dc07f454cc615e36830a29e82694934840af0

bd430b7387f38c7126cd6e69fa638b437101f7de

49b86dd0a20e9a1c6ed5fd310507f4c3fe3930e0

86e72cfefde89c074f7ea5593818bc70e836ea4a

dc92d7fe3638632819b5895a7be9d474cfc90bd7

b11898dec3bcb95e0e152e938896be59ebf19544

35a91e97fc73c15d686ad78e05eff37eee7d25d3

2c781a50102725d42e7c61e56f336fc070f8f8d1

5e06c80c56e080f93d16edb7c0bed4b8aea8de2b

3d84f4091946b95ef1e9adb78b8c109925a31d32

50c4d99bd876f843833114887da4585563dd852f

674da4f22fcbbc28d8bb4c7f15b07a7ad3e32785

da1237ded3073e4c2e9ac840def641a37a3d13e5

365943cf84c05a8ff2f9b12fc1b79e4676914df0

3396d8f3195175196ba642c1d82b431ed2d9461a

10ce0d2f2cd0351ef6cac4b690c46b45b27652a1

44fccc7fac106aa8ff9e4244a255de9f55023da2

102318b5c8cd5464bfdd43c7108020e21f009c78

19d4708a9cd411c283992adf26ddf14a0c27e924

1e99e83d78df1bf1eeeb1d0df24a4680333c0ef7

0920d949ace0e1259bd0e035f450f9475c9f3a05

082e8ee73b6b1a828a299941bd1d65a259dbb71f

82c4bb136c75ec4e3a01693f0d1a930b4bf596e0

ecbee10531ab298a56606216d5a43078f7537c25

7720aa6eb206e589493e440fec8690ceef9e70b5e6712a9fec9208c03cac7ff0

35456dc5fdaf2281aad4d8f0441dcd0c715164e9d2ca6412380c2215ed2eab9c

3e8660f0d2b5b4c1c7dfb0d92f1198b65f263d36cd9964505f3a69150a729f6f

2ca214c271920c7261fc0009971961fa6d2ee4bd23820899f4d6e0679739bf2e

2ef92ced4c009fc20645c5602f0b1f2ddca464365b73b62eb0b7217f422590d5

77766f7f78e13dce382aeb4f89c13b9de12a2fa85f0a7550f4239dfe385a6fb5

8834001d7420d8caaa20cd429130249db30c81f0c5da92a2cb2da4dee6669c87

242f9a9cb23c87b6a5913731bce3f4e565f0393d95f2f9a78d675ef481578a61

7db9491697847dd0a65b719b0d836aeb28dec22a9deed57aa601f23a5b32214a

1f5d310da6f3f3a89e22fc86acb71741db56cbe85fbacc43822bec344cbe4058

893c4f7e3d8e9dc6757becbf2f20e81ec09557fc8e6ea72353c7b8984068f145

242198732eecc9c2d07d1db612b6084ece3a8d1d1b337554a7bef4216cbebccf

e209d7003a5d3674ab90fd1d082266a4aaa1bee144b04371abba0c358e95fd03

2a4ce9877a743865d6c11c13aa45da3683af223c196086984f57f3eff07cd3ea

0d72eab82635df496d20a8fb3921e33ed3aac597496cf006322eed48deb2c068

a6d23f11692e23a6c2307b9f5dd660bca3423f2f0202aa398325345f906b07b5

079d555a4935a6748d92e8bd9856ae11ecf4fd5293ed41cf318a407f9aaa6b2d

387be2e56804ed02ed6d4611d82c6f4b88953761d3961a33017adfb274e6cbfa

3e1d8a5faaa35e7f72ecad5f91644efd5bf0d92fdb0341c48a236c843c697196

0c42641fcc805c049883b9617082a8ac6d538fd87cfa371e3fef6114aff71c2a

b31d3de8ffd2b2dce2b570c0172f87a6719f01d4424a7a375bbb249cd15c1157

23b949ed81925ea3c10fa6c74b0d066172409e6a38023bd24672cc4efb47dd64

6987933482f12f0e1301bb0509a46f5889802fe481be160da9a29985acbabbd9

77d5586bc259e944634cff99912779fabfb356f6f840ea5afd6514f52562879d

177e91b5ac698542b5488a95a60816347fcba118f0ad43473aa7d2d5c9223847

0ffeb5639da6e77dfb241f1648fa8f9bac305335f7176def2b17e1b08706d49a

ad7eebdf328c7fd273b278b0ec95cb93bb3428d52f5ff3b69522f1f0b7e3e9a1

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/d[.]php

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/k[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/k[.]php

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/k[.]php

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/k[.]php

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/k[.]php

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/d[.]php

hcwyo5rfapkytajg[.]darknet[.]to

hcwyo5rfapkytajg[.]onion[.]sh

hcwyo5rfapkytajg[.]onion[.]ws

hcwyo5rfapkytajg[.]tor2web[.]xyz

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/3agpke31mk[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/2hq68vxr3f[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_project_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/2hq68vxr3f[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_bsv_2019[.]docm

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/3agpke31mk[.]exe

 

About the Author

ATR Operational Intelligence Team

McAfee’s Advanced Threat Research Operational Intelligence team operates globally around the clock, keeping watch of the latest cyber campaigns and actively tracking the most impactful cyber threats.

Read more posts from ATR Operational Intelligence Team

Categories: McAfee Labs

Subscribe to McAfee Securing Tomorrow Blogs