Loki Locker Ransomware

Loki Locker Ransomware Description

The Loki Locker Ransomware is a malware threat designed to infect systems, encrypt the files stored there, and then extort its victims for money. The threat actors take the victim's files as hostages and promise to restore them only after their demands have been met.

When the Loki Locker Ransomware encrypts a file, it changes that file's original name drastically. The threat adds an email address and a unique ID string at the front of the file's name while also appending to it '.Loki' as a new extension. The email address used in the names of the modified files is 'recoverdata@onionmail.org.'

Ransom Notes Overview

Upon completing its encryption process, Loki Locker takes no chances and makes sure that the victim receives its instructions. It achieves this by delivering three different ransom notes. One message will be shown as a new desktop background image, another will be placed inside a text file named 'Restore-My-Files.txt,' while the third set of instructions will be displayed in a pop-up window.

The ransom notes vary slightly but the important details are consistent among all three. Victims are told that they will have to pay a ransom using the Bitcoin cryptocurrency. However, before transmitting the money, they can send a single file that the hackers will supposedly unlock for free and return back. There are two requirements for the selected file - it must not exceed 2MB in size and shouldn't contain any important information. The notes mention that if victims do not receive a response 24 hours after contacting the 'recoverdata@onionmail.org,' they should try messaging the secondary email address at 'recoverdata@mail2tor.com.'

The full text of the pop-up window is:

'Loki locker
All your important files have been encrypted
If you want to restore them, write us to the e-mail recoverdata@onionmail.org
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail: recoverdata@mail2tor.com
Free decryption as guarantee
Before paying you can send us 1 file for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
'

The text file contains the following details:

'Loki locker
All your important files have been encrypted
'If you want to restore them, write us to the e-mail recoverdata@onionmail.org
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail: recoverdata@mail2tor.com
Free decryption as guarantee
Before paying you can send us 1 file for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
'

The text file contains the following details:

'All your important files are encrypted!
There is only one way to get your files back:Contact with us

Send us 1 any encrypted your file and your personal id

We will decrypt 1 file for test(maximum file size - 2MG), it is guarantee what we can decrypt your files

Pay

We send for you decryptor software

We accept Bitcoin

Attention!
Do not rename encrypted files.
Do not try to decrypt using third party software, it may cause permanent data loss.
Decryption of your files with the help if third parties may cause increase price(they add their fee to our)

Contact information: recoverdata@onionmail.org

Be sure to duplicate your message on the e-mail: recoverdata@mail2tor.com

Your personal id:

The desktop images delivers the following message:

Loki locker

All your files have been encrypted due to a security problem with your computer
If you want to restore them, write us to the e-mail:
recoverdata@onionmail.org
Write this ID in the title of your message: -
In case of no answer in 24 hours write us to this e-mail:
recoverdata@mail2tor.com
.'