LooCipher Ransomware

Posted: June 19, 2019

The LooCipher Ransomware is an independent, file-locker Trojan that blocks media formats on your computer, including, but not limited to, pictures, documents, and spreadsheets. After doing so, victims can see symptoms including new extensions on their blocked content, different desktop wallpaper and ransoming messages. You should back your work up to other devices for saving it from these attacks and have available anti-malware products for removing the LooCipher Ransomware.

Trojans Flushing Your Files Down the Loo

File-locker Trojans without families that they can call home are much rarer than Ransomware-as-a-Service output or variants or freeware, but they do exist, as the LooCipher Ransomware's campaign attests. This Trojan is using disguises that would appeal to cryptocurrency entrepreneurs for infecting Windows PCs, after which, it can start locking files. Malware experts can't ratify whether or not the process is reversible, although the rest of the LooCipher Ransomware's payload makes money off of selling the possible decryption solution.

The LooCipher Ransomware's encryption includes such typical targets for locking as JPG pictures, Word documents, Adobe PDF Reader documents, and Excel spreadsheets, all of which the LooCipher Ransomware appends with 'lcphr' extensions afterward. Its further symptoms include:

Changing the Windows wallpaper into a ransom note.
Creating another '@Please_Read_Me.txt' ransom note on the desktop.
Loading its third note in an advanced HTML pop-up.

None of these elements use the formatting that's traditional for most of the great families of file-locker Trojans. However, the LooCipher Ransomware does include a five-day countdown for threatening its victims, and asks for Bitcoins for its unlocking fee – although malware experts see no activity in its wallet, as of June 19th.

Deciphering the Dilemma in Fake Documents

The LooCipher Ransomware's campaign is using what malware experts rate as a commonplace infection strategy: fake Word documents. Users may be opening them and installing the LooCipher Ransomware thanks to crafted content referencing BSV, a Bitcoin cryptocurrency fork. Other infection vectors may reference the target's industry, use exploits for outdated server software or brute-force the user's credentials.

Updating one's anti-malware solutions will improve their detection rates against newly-identifiable Trojans and other threats, which includes the LooCipher Ransomware. At current levels, roughly half of the AV industry's most well-known brands should block this file-locker Trojan, and uninstalling the LooCipher Ransomware with anti-malware services is the recommended response to infections. Afterward, backup-based recovery could be essential for any file restoration.

The LooCipher Ransomware's payload signals loud and clear what its author's intentions are: making money out of users who aren't preserving their files carefully. Upcoming months will show if this lone Trojan has what it takes in a market that's full of Ransomware-as-a-Service products, Github reinforcements and Hidden Tear spin-offs.