Yoroi-Cybaze: Cybercrime is spreading a new ransomware: LooCipher
Cybercrime spreads a new ransomware: LooCipher. According to Yoroi-Cybaze ZLab cyber security experts, the vector are malicious emails embedding infected Office documents. The malware encrypts all files on victim computer, and it abuses Clearnet-to-Tor proxy services to connect to its Command and Control hidden behind onion sites. The researchers found elements suggesting its operators could be able to run large scale campaigns. The author did not care to obfuscate in any sophisticated way his malicious code. Once run, it starts the encryption of all the victim’s files, except for the system and programs folders: “Program Files”, “Program Files (x86)”, “Windows”. Obviously, this trick allows to avoid the corruption of the files needed to start the operating system, letting the user login to its PC to see the ransom request.
The cyber security experts: How the malware works
According to the cyber security experts, during the encryption phase, for each file to be encrypted, LooCipher creates the encrypted copy of the files but it does not delete the original ones, rather it empties them and forces a 0-byte size. It is not clear if this mechanism derives from buggy code or it is a specific peculiarity of this malware, intentionally introduced by the author. When the encryption phase ends, it creates a FAQ folder within victim’s desktop reporting the instructions to proceed with ransom payment in a “friendly” Q&A form. As stated in the payment instruction file, the victim has only five days to proceed with the payment. After this period, the key will be automatically destroyed, preventing any way to recover the user content. Similar information is also displayed in the image set as background and into the interactive pop-up window.
The ransomware C2 is hosted in the TOR network
The C2 is hosted in the TOR Network, so LooCipher uses some services which act as proxies between the Darknet and clearnet to easily perform its malicious actions, avoiding the installation of TOR libraries on the victim machine. The request sent by the ransomware includes information like the User-ID assigned to the victim machine during the encryption phase and its public IP address. The C2 server replies specifying the BTC Address the user will pay the requested amount. Yoroi researchers noticed that every time the malware contacts its C2 at the “k.php” resource, the server generates a new BTC Address. Probably, the backend embeds a BTC wallet factory able to register a new wallet on the blockchain for each ransomware infection. This trick surely allows to make more stealthy BTC transactions, avoiding a huge number of transactions towards the same wallet and hardening the cash flow reconstruction.
The malware works both as encryptor and as decryptor
LooCipher has also an interesting peculiarity: it works both as encryptor and as decryptor. The last answer of the cybercrime instruction file, in fact, reports that the decryptor software is embedded into the ransomware binary in order to make the decryption process as simple as possible. In fact, after the payment the victim can click on “Check Payment” button included in the pop-up window and, if the transaction has been confirmed, the “DECRYPT” button will be enabled. Moreover, if the user accidentally closes the pop-up window needed to trigger the decryption, he can download a new copy of the ransomware and use it as decryptor. Clicking the “Check Payment” button, the process sends a new HTTP request to its C2 to “/d.php” in order to check if the payment related to the specific User-ID has been received.