Ransomware continues to be an easy way to monetize the criminal efforts and for this reason new malware appear in the threat landscape.
Loocipher is a new threat that is rapidly spreading, its functionalities are pretty straight forward as effective, common to many other ransomware families.
Recently experts at Yoroi-Cybaze ZLab published a detailed analysis of the Loocipher ransomware, below the key findings of the analysis:
As other ransomware families, LooCipher encrypts all the user files having the following extensions:
|.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .py, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, .mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi, .ai, .doc, .docm, .docx, .dxg, .odb, .odm, .odp, .ods, .odt, .orf, .ppt, .pptm, .pptx, .rtf, .xlk, .xls, .xlsb, .xlsm, .xlsx, .pdf, .mobi, .epub, .sage|
According to Fortinet, the encryption algorithm used by the LooCipher ransomware is AES-128 ECB with a 16-bytes key. The key is generated in a random way, starting from an array of pre-defined characters:
Since AES is a symmetric-key algorithm, retrieving the key it is possible to restore all encrypted files. The key will be sent to the C2 over HTTP as GET parameter (“k=”), but obviously it is obfuscated.
Experts pointed out an interesting details revealed by Fortinet researchers, the obfuscation method is very trivial. It consists in a simple replacing of each key characters with a pre-defined double-digit number, belonging to the following set:
So, once retrieved the obfuscated key it is possible to reconstruct the original key and decrypt all files.
The crucial point is to extract the obfuscated key. As shown by Fortinet, this can be done in two ways:
The expert of Cybaze-Yoroi ZLab released an automatic tool that is able to extract the secret key and proceed with the decryption of all files previously encrypted by the LooCipher ransomware. The tool requires the LooCipher process to be active. So, it does not work if the process gets killed or the PC went restarted, because the process memory containing the key is reset.
Experts published a post on the Yoroi blog:
The tool is available on Github at the following URL:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.