About LooCipher Ransomware

The newest ransomware on the block is called LooCipher.

 This sly piece of ransomware has been recently discovered over the last few days and is being used actively to infect users. LooCipher is likely spread through spam email campaigns and is sent coupled with an attached fake Microsoft office document.

When the recipient opens the attachment, the document will go through the standard tactic of asking you to enable macros in order to view the content. When these macros are enabled, they’ll connect to an anonymous server and download an executable file. It’s this executable that will trigger the installation and deployment of LooCipher.

This is when the fun really starts.

LooCipher sets about creating a folder on your desktop called c2056.ini. It’ll then create a specific ID for the computer, a time limit when the key will allegedly expire, and a nice, convenient bitcoin address for you to send payment. LooCipher will then proceed to encrypt files on the computer.

Various ransom notes will be created on the user’s PC with names like: @Please_Read_Me.txt that contain an amount in Euros, together with the aforementioned extremely convenient bitcoin address to send payment to, and instructions on how to do it.

At the time of writing this the ransom amount is €300 or approximately ￡268.

LooCipher will then go on to change the desktop wallpaper to a picture of the ransom note, again containing information of how to pay. Finally, the LooCipher Decryptor window will be displayed. This contains a countdown program that tells you how long you’ve got until your data will allegedly be deleted. If payment has been made, the ransomware will download a key from the anonymous servers and proceed to decrypt your files.

At this moment this process has not been tested and it’s not known if it works. I doubt it does and I would recommend you contact a trusted IT/Cyber Security company for support.

 The link below shows you LooCipher in action.

https://www.youtube.com/watch?v=BgNNTyVvVxg