LooCipher Ransomware

Researchers from Cybaze-Yoroi Z-LAB have published an analysis of a new family of ransomware named LooCipher. The researchers note that LooCipher’s functionality is not significantly different than other ransomware families. Infection of the victim is achieved through emails with attached Word documents (.DOCM) that contain macros that download the ransomware. The documents contain a single line of text which states “ENABLE MACROS TO VIEW THIS DOCUMENT”.

When executed, the ransomware scans files on the system and then encrypts all files except those in the Windows system and programs folders. When the encryption process is completed, the ransomware provides information to the victim, including instructions on how to make payment for the decryption key. The instructions note that the victim has only five days to pay or the decryption key will be destroyed, making the files unrecoverable.

The ransomware sends the victim’s details to a C&C server on the TOR network. From there it also provides the Bitcoin address to make payments to. Communication with the TOR network is conducted through proxy services which avoids the ransomware having to install TOR libraries on the victim system. A new Bitcoin address is created each time the ransomware contacts the C&C server.

However, there are also hard coded wallet addresses in case the C&C server cannot be contacted. Unusually, the ransomware is also the decryptor, but it requires that the C&C server confirms payment has been received before it can function in the decryption mode.

Indicators of Compromise

Hashes:

• ff24d9575694ae2a1e6a6101a2dbaa95dd1ab31b44a3931f6d6a62bbf5be2cbd
• e824650b66c5cdd8c71983f4c4fc0e1ac55cd04809d562f3b6b4790a28521486
• 43cfb0a439705ab2bd7c46b39a7265ff0a14f7bd710b3e1432a9bdc4c1736c49
• 924cc338d5d03f8914fe54f184596415563c4172679a950245ac94c80c023c7d

BTC Addresses:

1Ps5Vd9dKWuy9FuMDkec9qquCyTLjc2Bxe
19YmdTjw7ZWHEDac8wWzCNdZT8oXsDedtV
1CrdZvvtzrZTJ78k92XuPizhhgtDxQ8c4B
1JHEqi4QsTWz4gB9qZTACP7JggJzAmf6eA
1Azfk7fWwCRynRk8p7qupLqqaADsjwFm4N

DropURL:

• hxxp://hcwyo5rfapkytajg[.]onion/2hq68vxr3f.exe
• hxxp://hcwyo5rfapkytajg[.]onion/3agpke31mk.exe
• hxxp://hcwyo5rfapkytajg[.]onion/Info_BSV_2019.docm
• hxxp://hcwyo5rfapkytajg[.]onion/Info_Project_BSV_2019.docm
• hxxp://hcwyo5rfapkytajg.onion[.]pet/2hq68vxr3f.exe
• hxxp://hcwyo5rfapkytajg.onion[.]pet/3agpke31mk.exe
• hxxp://hcwyo5rfapkytajg.onion[.]pet/Info_BSV_2019.docm
• hxxp://hcwyo5rfapkytajg.onion[.]pet/Info_Project_BSV_2019.docm
• hxxps://hcwyo5rfapkytajg.darknet[.]to/2hq68vxr3f.exe
• hxxps://hcwyo5rfapkytajg.darknet[.]to/3agpke31mk.exe
• hxxps://hcwyo5rfapkytajg.darknet[.]to/Info_BSV_2019.docm
• hxxps://hcwyo5rfapkytajg.onion[.]sh/2hq68vxr3f.exe
• hxxps://hcwyo5rfapkytajg.onion[.]sh/3agpke31mk.exe
• hxxps://hcwyo5rfapkytajg.onion[.]sh/Info_BSV_2019.docm
• hxxps://hcwyo5rfapkytajg.onion[.]ws/2hq68vxr3f.exe
• hxxps://hcwyo5rfapkytajg.onion[.]ws/3agpke31mk.exe
• hxxps://hcwyo5rfapkytajg.onion[.]ws/Info_BSV_2019.docm
• hxxps://hcwyo5rfapkytajg.tor2web[.]xyz/2hq68vxr3f.exe
• hxxps://hcwyo5rfapkytajg.tor2web[.]xyz/3agpke31mk.exe
• hxxps://hcwyo5rfapkytajg.tor2web[.]xyz/Info_BSV_2019.docm

C2s:

• hxxp://hcwyo5rfapkytajg.onion[.]pet/k.php
• hxxp://hcwyo5rfapkytajg.onion[.]pet/d.php
• hxxps://hcwyo5rfapkytajg.darknet[.]to/k.php
• hxxps://hcwyo5rfapkytajg.darknet[.]to/d.php
• hxxps://hcwyo5rfapkytajg.onion[.]sh/k.php
• hxxps://hcwyo5rfapkytajg.onion[.]sh/d.php
• hxxps://hcwyo5rfapkytajg.onion[.]ws/k.php
• hxxps://hcwyo5rfapkytajg.onion[.]ws/d.php
• hxxps://hcwyo5rfapkytajg.tor2web[.]xyz/k.php
• hxxps://hcwyo5rfapkytajg.tor2web[.]xyz/d.php