With the help of a partner program, LokiLocker, which debuted in 2021, expanded worldwide, whereas BlackBit, another similar encryptor, primarily targets small and medium-sized Russian enterprises using the “.blackbit” domain. The increasing danger to Russian companies worries the authorities.
At least 62 businesses worldwide, including 21 in Russia, have been targeted by the ransomware programs LokiLocker and BlackBit since April 2022. The majority of the victims are small and medium-sized retail, tourism, and construction companies.
The quantity of the ransom varies from $10,000 to $100,000, depending on the financial resources of the organization and the quantity of decryption keys required. It’s interesting to note that the ransomware stays away from PCs that speak Persian. How the assailants got there is still a mystery.
Researchers believe attacks like LokiLocker and BlackBit might be carried out “under a false flag” in order to obstruct inquiries. Though the club was founded by native Persian speakers, its makeup may actually be multinational. The attack lasts anywhere from one to multiple days, and the main port of entry is compromised RDP servers. Attackers obtain credentials via using dark web middlemen or logins and passwords.
They don’t steal any data while conducting reconnaissance, instead using Mimikatz to obtain privileged access. Criminals manually download the ransomware LokiLocker and BlackBit, usually on the weekends or on holidays. Using reputable tools, they disable antivirus software, and they contact victims over Telegram and email.
Data is destroyed if the ransom is not paid or the decryption is not used within 30 days. Geopolitical tensions have made Russian firms more and more vulnerable to attacks. The attackers’ success is ascribed to the companies’ careless security protocols, particularly with regard to publicly accessible terminal servers and other external remote access services.