We are aware of a security breach that is believed to be in the form of Lokilocker ransomware. We would like
to provide the following information and warning regarding the situation.

Lokilocker ransomware

The ransomware is called Lokilocker and it appears to be changing the filename.extension.Loki of all files.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• This is a C# .NET-based ransomware, and the internal code itself is obfuscated. It uses the desktop, txt, Windows login message, and its own note, disables the Task Manager with the registry setting value, and checks the process name to forcibly terminate it when Regedit is executed. In addition to the ransomware that runs by default, it is automatically executed when Windows is executed and re-executed as winlogon.exe in the location of the startup program folder, and if the ransomware process is terminated, a blue screen is forcibly generated.

  
  [Figure 3 Obfuscated internal code]

  
  [Figure 4 Ransomware copied to startup program and task manager disable bat file]

  
  [Figure 5: Activation message when running Task Manager]

  
  [Figure 6 Blue screen that occurs when ransomware is terminated]

Infection results

A guide file is created in each folder location with the name < Restore-My-Files.txt / Crpiv.Loki / info.hta >, and each encrypted file is changed to <file name. extension.Loki>.

[Figure 7 Infection results]

White Defender Response

It also supports real-time automatic restoration of files that are encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 8 Blocking Message]

Go watch Lokilocker blocking video