LooCipher ransomware distributed via spam campaign

• LooCipher encrypts all the files on the infected computer and appends the .lcphr extension to the encrypted files.
• The ransom note demands a ransom amount of €300 (USD 330) within 5 days.

A security researcher who goes under the name Petrovic uncovered a new ransomware dubbed LooCipher that is distributed via a spam campaign.

How is it propagated?

• LooCipher is distributed via a spam campaign that delivers a malicious Word document called Info_BSV_2019.docm.
• When users open this document, they will be asked to enable macros in order to view the contents of the document.
• Once macros are enabled, it will connect to a Tor server through a gateway and download the http://hcwyo5rfapkytajg.onion.pet/3agpke31mk.exe file.
• This file downloads and executes the LooCipher ransomware.
• Once executed, the ransomware will create a file called c2056.ini.
• This file states to not remove or alter it as it may interfere with the proper decryption of the ransomware.

Encryption and ransom note

LooCipher encrypts all the files on the infected computer and appends the .lcphr extension to the encrypted files. It does not delete the original unencrypted files, instead leaves them behind as zero-byte files.

• After the infection process, a ransom note named @Please_Read_Me.txt will be dropped on the infected system.
• The ransom note contains the required ransom amount in Euros, a bitcoin address to send payment to, and the instructions on how to make the payment.
• The ransom note demands a ransom amount of €300 (USD 330) within 5 days.

“You have five days since your files were encrypted. After this period, your key will be automatically destroyed (except for the case of having made the transaction within the period but because of the transaction remains pending of being confirmed by the blockchain this period is exceeded. In this case the key will remain safe throughout all this ‘pending of being confirmed’ status of your transaction and additionally it will remain 7 days more after your transaction is confirmed in order that you have enough time to recover your files,” the ransom note read, BleepingComputer reported.

Decryption

• The LooCipher Decryptor window will be displayed that contains the ‘Check Payment’ button.
• It also contains a ‘Decrypt’ button that will be enabled only after the payment is approved.
• Once enabled, the LooCipher executable will be removed and the ransom notes and desktop wallpaper will contain a mega.nz link that can be used to download the ransomware interface.