FANDOM


LooCipher is a ransomware that is actively being used in the wild to infect users. LooCipher was first discovered by security researcher Petrovic and since then, BleepingComputer and Michael Gillespie have observed multiple people being infected with this ransomware.

Payload

Transmission

It is believed that LooCipher is distributed through a spam campaign. It is currently unknown what kind of phishing campaign is spreading this ransomware. It hides itself as a .docm file called Info_BSV_2019.docm. 

When opened, this document will go through the standard tactic of asking the user to enable macros in order to view the content. It can also spread by torrent websites, malicious ads, trojans, software cracking tools, and fake updaters.

Malicious-word-doc

Malicious word document

If a user enables macros, the macros will connect to a Tor server through a gateway and download the http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe file. This file will be renamed as LooCipher.exe and then executed.

LooCipher can also be spread by fake software updating tools, untrustworthy software download sources, software 'cracking' tools and trojan-type programs.

Macro

Downloader macro

Infection

When the ransomware is executed, LooCipher will create a file called c2056.ini on the Windows desktop where it will store the unique ID for the computer, a time limit when the key will allegedly expire, and a bitcoin address. This file states to not remove or alter it as it may interfere with the proper decryption of the ransomware.

Config-file

LooCipher configeration file

The ransomware will then begin to encrypt the files on the computer. This routine is a bit buggy as instead of deleting the original unencrypted versions, it leaves them behind as 0 byte files.  Encrypted copies of the files will be created, though, that have the .lcphr extension appended to them.

LooCipherEncrypted-files

LooCipher encrypted files

LooCipher encrypts the following file extensions:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, 
.tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, 
.mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, 
.layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, 
.arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, 
.upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, 
.big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, 
.pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, 
.erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, 
.psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, 
.xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Ransom notes will also be created called @Please_Read_Me.txt that contain a ransom amount in Euros, a bitcoin address to send payment to, and instructions on how to make a payment. The current ransom amount is €300 or approximately $330 USD. 

LooCipherRansom-note

LooCipher ransom note

 

The ransom note reads:

Q:  What happened to my files?
A:  All your important files (including those on the network disks, USBs, etc.) 
have been encrypted using a strong algorithm with a private and unique key 
generated for you.


Q:  Where is my key?
A:  Your key is stored in our TOR servers in order to preserve the anonymity.


Q:  What do I do?
A:  You need to make a Bitcoin payment for the decryption.
    Please send €300 (~$330) worth of Bitcoin to this address: 
1Ps5Vd9dKWuy9FuMDkec9qquCyTLjc2Bxe


Q:  Can I recover my files by other means?
A:  No. There is not such a computing power nowadays to find this key within the 
time of a human could live. Even if you use Tianhe-2 (MilkyWay-2), currently the 
fastest supercomputer in the world, it will take millions of years. Neither NO ONE 
ANTIVIRUS CAN BRING YOUR FILES BACK, the only thing they could do is delete the 
decryptor software, but it's impossible they can recover your files, and if some 
of them is trying to sell you that, we invite you to purchase it and try.


Q:  How much time do I have?
A:  You have 5 days since your files were encrypted. Specifically until 2019/06/24 
14:28. After this period your key will be automatically destroyed (except for the 
case of having made the transaction within the period but because of the 
transaction remains pending of being confirmed by the blockchain this time period 
is excedeed. In this case the key will remain safe throughout all this "pending of 
being confirmed" status of your transaction and additionally it will remain 7 days 
more after your transaction is confirmed in order that you have enough time to 
recover your files)


Q:  How can I trust?
A:  We strongly guarantee you can recover your files. Besides, if we didn't do it 
nobody trust us and we wouldn't get any payment. In fact, we built the decryptor 
in the own encryptor software as well in order to make the decryption process as 
simple as possible for you, thus avoiding having to download an external 
decryptor. Just make the payment, click  and if your payment is approved the  
button will become enable to click.


If somehow you closed the decryptor window and you can't run the decryptor 
software you can download a copy of the decryptor through this link:
https://mega.nz/#!KclRVIRY!YrUgGjvldsoTuNZbCOjebAz5La7hbB41nJHk1mlgqZo
(Don't worry, your files won't be re-encrypted if they already are).

LooCipher will also change the desktop wallpaper to another ransom note that contains similar information as the ransom note.

LooCipherWallpaper

Desktop wallpaper

Finally, the LooCipher Decryptor window will be displayed. This program contains a countdown until the user's key will allegedly be deleted, as well as a button to check if a payment has been made. If a payment was made, the ransomware will download the key from the Tor servers and enable the Decrypt button so the user can recover their files. This has not been tested and it is not known if this process works.

Loocipherwin

LooCipher gui

Media

LooCipher Ransomware demonstration of attack video review!

LooCipher Ransomware demonstration of attack video review!

LooCipher demonstration by GrujaRS

Community content is available under CC-BY-SA unless otherwise noted.