Skip to Content
Security & privacy

Alert! New malicious ransomware that’s evil is spreading

The Prince of Darkness is now wreaking havoc on computers running Windows. Like other ransomware, hackers gain control of computers and servers and won’t release them until a ransom is paid.

Experts discovered the new malicious ransomware, dubbed LooCipher, as services in various cities have been paralyzed by other ransomware programs. A city in Florida recently paid hackers the ransom, while Baltimore continues to try to get its services up and running after city officials refused to pay.

What makes this ransomware more dangerous is that unlike others such as WannaCry, Petya and Eternal Blue that hit high-profile targets, this one appears to be infecting personal computers. We’ll show you how the new ransomware works and how to prevent getting it.

LooCipher is attacking computers

Photo Credit: BleepingComputer

BleepingComputer reports that LooCipher was first discovered by security researcher Petrovic. Since then, BleepingComputer states it has seen multiple people’s computers being infected with this new ransomware.

Joining the LooCipher watch team is Michael Gillespie, a ransomware researcher who analyzes ransomware in order to create free decryptors for victims.

LooCipher is said to be spreading by a spam phishing campaign. It gets into computers by pushing recipients of the phishing email to open a Word document called Info_BSV_2019.docm.

When the Word document is opened, it asks the user to enable macros. Once you enable macros, it’s game over. Your computer is now a hostage.

Photo Credit: BleepingComputer


Related: Enabling macros though phishing emails is a terrible idea!


How LooCipher works

If you enable macros, the malicious Word doc connects to a Tor server where an executable file is downloaded to your computer. It renames itself LooCipher.exe and begins running automatically.

Photo Credit: BleepingComputer

When LooCipher is executed it will create a file on a Windows desktop. The file will store your computer’s ID, a time limit on when the decryption key will expire and a Bitcoin address. The ransomware will then begin to encrypt the files on your computer.

Photo Credit: BleepingComputer

Ransom notes called @Please_Read_Me.txt will also be created. The notes contain the ransom amount, a Bitcoin address to send the money and instructions on how to pay. LooCipher’s current ransom is $330.

In case a victim didn’t read the ransomware note, LooCipher will change the desktop wallpaper to another ransom note.

Photo Credit: BleepingComputer

Finally, the LooCipher Decryptor window will be displayed. This window contains a countdown until the decryption key will be deleted and a button to check if a payment has been made.

Photo Credit: BleepingComputer

If the ransom is paid, allegedly, LooCipher will download the decryption key from the Tor servers and enable the Decrypt button so victims can recover their files.

BleedingComputer reports that the payment process has not been tested, so it’s not known if a computer will be released by the hackers once they are paid or even if the decryption key actually works. I mean, you can’t really trust criminals and their word, right?!?!


Related: Watch out! Cyberattacks on cities and companies are also a big problem for you


How to protect computers from ransomware

Since LooCipher is spread through phishing, it’s important that you not open documents in emails unless you are absolutely certain they come from a legitimate source. If you don’t open the document that summons LooCipher — or any type of ransomware for that matter — you’ll have no problems.

But just in case and because it’s a good practice, backup your computer’s data regularly.

Also, make sure the backups are stored offline so ransomware won’t capture those files as well. You can find other important steps to take to protect your computer from ransomware here.

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook