LooCipher Ransomware Decryptor Released for Free

Introduction

Recently, our ZLab research team published a detailed analysis of the LooCipher ransomware, a new malware threat that spreads using weaponized Word document and abuses ToR network proxy services to reach its command and control servers.

Cybaze-Yoroi ZLab team further analyzed this threat and defeated it releasing a free decryptor for LooCipher victims.

Encryption Details

According to Fortinet, the encryption algorithm used by the LooCipher ransomware is AES-128 ECB with a 16-bytes key. The key is generated in a random way, starting from an array of pre-defined characters:

Loocipher Ransomware

Since AES is a symmetric-key algorithm, retrieving the key it is possible to restore all encrypted files. The key will be sent to the C2 over HTTP as GET parameter (“k=”), but obviously it is obfuscated.

Loocipher Ransomware

Experts pointed out an interesting details revealed by Fortinet researchers, the obfuscation method is very trivial. It consists in a simple replacing of each key characters with a pre-defined double-digit number, belonging to the following set:

Loocipher Ransomware

So, once retrieved the obfuscated key it is possible to reconstruct the original key and decrypt all files.

The crucial point is to extract the obfuscated key. As shown by Fortinet, this can be done in two ways:

LooCipher Decryptor

As previously stated, Cybaze-Yoroi ZLab released an automatic tool that is able to extract the secret key and proceed with the decryption of all files previously encrypted by the LooCipher ransomware. The tool requires the LooCipher process to be active.

The tool is available on GitHub at the following URL:

https://github.com/ZLab-Cybaze-Yoroi/LooCipher_Decryption_Tool

Enjoi it.