The new ransomware, known as Lokibot locks out victims’ screens until they pay a fee of $100.
Lokibot, a new ransomware threatening the network and Android devices disguises as a banking Trojan but turns into a ransomware should the user attempt to remove the application. Once this is done, the ransomware characteristic is activated and the victims will have all their data encrypted by Lokibot. Although the group of cybercriminals behind this malware is still unknown, a closer investigation has found that the malware is up for sale on the dark web for an astounding amount of $2,000 divided in bitcoins.
The malware targets very popular applications such as Whatsapp, Skype and Outlook and has the capability of reading and sending SMS messages, encrypting users’ information, sending and reading SMS messages, locking users’ screens and stealing their contacts. The malware “Lokibot” system of operation consists of phishing overlays on banking applications.
SyfLabs experts have declared regarding how the Malware operates stating, “The phishing notifications disguise as the true icon of the app they try to impersonate. On top of that, the phone vibrates right before the notification is triggered so the victim will pay attention to it. Finally, when the user taps the notification it triggers an overlay attack”.
Among other unique characteristics of Lokibot, its most unique ones include, opening up specific websites, starting the victims’ bank application, automatically replying to SMS messages, sending out illegitimate notifications while pretending to be from legitimate applications, and starting the browser app by itself.
The requested fee to be free ranges from $70 up to $100. In accordance to researchers and experts from the Security area at SyfLabs, the cybercriminals have gained over $1.5 million worth of Bitcoins, however, they remain skeptic with respect to this amount being gained only by Lokibot, which means this group of cybercriminals may be behind other attacks.
According to SyfLabs experts, the encryption characteristic of the ransomware “fails” since users’ data is only renamed and not removed, perhaps due to Lokibot’s main way of attacking does not involve ransomware features. In spite of this, users should be careful as the malware has screen locking features.
Experts have declared that the Bitcoin directions of the malware are hardcoded in the APK and cannot be updated from C2 server. One way of detecting if the malware attacking is the Lokibot is the threat shown on screen, it reads “Your phone is locked for viewing child pornography”.
The group of cybercriminals behind Lokibot has not been identified yet, and they appear to be constantly updating the malware, adding new features related to security detection almost every week, which although not state of the art, are certainly more advanced than the ones used by other banking malware. There has been a rise in bot counts in this summer according to experts who have declared that they have seen at least 40 samples with bot counts oscillating between 100 and 2,000 bots.
Lokibot may yet prove to be an even more harming malware should the updates continue, constantly becoming stronger as an Android Trojan, targeting users’ bank accounts and applications.