Federal and state law enforcement officials have observed a big uptick in LokiBot Ransomware infections, an open-source do-it-yourself malware package designed for Windows that’s sold and traded in underground forums. It has the ability to steal passwords and cryptocurrency wallets and can also download and install new malware.
In an alert published in September of 2020, the United States Department of Homeland Security’s Cybersecurity and Infrastructure Agency and the Multi-State Information Sharing & Analysis Center say that LokiBot ransomware infections have risen dramatically over two months. The increase was noted by “EINSTEIN,” an automated detection system that monitors computer security information across the federal departments and agencies.
According to the alert: “CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity.”
LokiBot malware operates as an infostealer and was first observed in 2015. It was involved in several malspam campaigns that harvested credentials from web browsers, email clients, admin tools and has also been used to target cryptocoin-wallet owners. The malware steals sensitive information, including a variety of credentials like FTP credentials, stored email passwords and passwords stored on the browser, to name a few. The original version of LokiBot malware was developed and sold online by a hacker known as “lokistov.”
The malware was advertised on hacking forums for around $300, and later other hackers started offering it for less than $80 in the cybercriminal circles. Over time, Lokistov implemented new features, including key-logging and desktop screenshot capability.
What Can You Do to Prevent a LokiBot Attack?
According to the CISA LokiBot advisory, some steps you can take to protect yourself from LokiBot include: Maintaining up-to-date antivirus signatures and engines. Keep your operating system patches up to date. Disable file and printer sharing services. Enforce multi-factor authentication. Restrict users’ ability to install and run unwanted software applications. Do not add users to the local administrators’ group unless required. Enforce a strong password policy. Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests. Disable unnecessary services on agency workstations and servers. Scan for and remove suspicious email attachments. And lastly, monitor users’ web browsing habits and restrict access to sites with unfavorable content.
If you are still having trouble, consider contacting remote technical support options.