Exclusive, experts at Yoroi-Cybaze ZLab released a free decryptor for Loocipher Ransomware

Articolo su CERT del 14/07/2019

Malware researchers at Yoroi-Cybaze ZLab have released a free decryptor tool for the Loocipher Ransomware.
Ransomware continues to be an easy way to monetize the criminal efforts and for this reason new malware appear in the threat landscape.

Loocipher is a new threat that is rapidly spreading, its functionalities are pretty straight forward as effective, common to many other ransomware families.

Recently experts at Yoroi-Cybaze ZLab published a detailed analysis of the Loocipher ransomware, below the key findings of the analysis:

The ransomware spreads using weaponized Word document.
The Command and Control is hosted on the TOR Network, at the following onion address “hxxp://hcwyo5rfapkytajg[.]onion” .
The attackers leverage several Tor2Web proxy services to easily allow the access to the Tor C2.
The binary can work both as cryptor and decryptor.
The C2 dynamically generates a different Bitcoin address for each infection.
As other ransomware families, LooCipher encrypts all the user files having the following extensions:

.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .py, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .dash, .zip, .rar, .gzip, .mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi, .ai, .doc, .docm, .docx, .dxg, .odb, .odm, .odp, .ods, .odt, .orf, .ppt, .pptm, .pptx, .rtf, .xlk, .xls, .xlsb, .xlsm, .xlsx, .pdf, .mobi, .epub, .sage

According to Fortinet, the encryption algorithm used by the LooCipher ransomware is AES-128 ECB with a 16-bytes key. The key is generated in a random way, starting from an array of pre-defined characters:

Since AES is a symmetric-key algorithm, retrieving the key it is possible to restore all encrypted files. The key will be sent to the C2 over HTTP as GET parameter (“k=”), but obviously it is obfuscated.

Experts pointed out an interesting details revealed by Fortinet researchers, the obfuscation method is very trivial. It consists in a simple replacing of each key characters with a pre-defined double-digit number, belonging to the following set:

So, once retrieved the obfuscated key it is possible to reconstruct the original key and decrypt all files. The crucial point is to extract the obfuscated key. As shown by Fortinet, this can be done in two ways:

  1. Intercepting the network traffic, when the malware sends the key to the C2. This method could be difficult because the key is sent only once, and it is necessary to capture the exact network traffic containing this request.
  2. Exploring the memory map of LooCipher process after the completion of the encryption. The entire path (including the key) used to contact the C2 is still stored in the process memory location. This could be complex to not experienced users.


The experts of Cybaze-Yoroi ZLab released an automatic tool that is able to extract the secret key and proceed with the decryption of all files previously encrypted by the LooCipher ransomware. The tool requires the LooCipher process to be active. So, it does not work if the process gets killed or the PC went restarted, because the process memory containing the key is reset.

The tool is available on Github at the following URL