A new family of ransomware named LooCipher has emerged. The researchers note that LooCipher’s functionality is not significantly different than other ransomware families. Infection of the victim is achieved through emails with attached Word documents (.DOCM) that contain macros that download the ransomware. The documents contain a single line of text which states “ENABLE MACROS TO VIEW THIS DOCUMENT”. When executed, the ransomware scans files on the system and then encrypts all files except those in the Windows system and programs folders. When the encryption process is completed, the ransomware provides information to the victim, including instructions on how to make payment for the decryption key. The instructions note that the victim has only five days to pay or the decryption key will be destroyed, making the files unrecoverable. The ransomware sends the victim’s details to a C&C server on the TOR network. From there it also provides the Bitcoin address to make payments to. Communication with the TOR network is conducted through proxy services which avoids the ransomware having to install TOR libraries on the victim system. A new Bitcoin address is created each time the ransomware contacts the C&C server. However, there are also hard coded wallet addresses in case the C&C server cannot be contacted. Unusually, the ransomware is also the decryptor, but it requires that the C&C server confirms payment has been received before it can function in the decryption mode.
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)