The AchieVer Posted March 23, 2019 Share Posted March 23, 2019 LockerGoga Ransomware – Another Threat To Businesses Recently, Lockergoga ransomware made it to the news after repeated attacks on different organizations. The ransomware first became known after attacking Altran Technologies in January 2019. Then, a couple of days ago, a well-known aluminum producer Norsk Hydro suffered a cyber attack. Initial reports have revealed that the firm faced a LockerGoga attack. In both instances, the ransomware compelled the victim firms to shut down their IT operations. Following the recurrences of ransomware attack and the involvement of LockerGoga, the cybersecurity experts have started unveiling the details of this ransomware. Here we share brief details about the malware. LockerGoga Ransomware As revealed in the malware analysis by Trend Micro, LockerGoga is feisty ransomware that disables WiFi or Ethernet adapters of the target systems, making them lose connection. (Possibly the reason why the victims of this ransomware attack faced IT shut down.) As explained by Trend Micro regarding is propagation, “LockerGoga enumerates the infected system’s Wi-Fi and/or Ethernet network adapters. It will then attempt to disable them through the CreateProcessWfunction via command line (netsh.exe interface set interface DISABLE) to disconnect the system from any outside connection.” After being installed on the victim machine, the ransomware changes the passwords of user accounts, causing them to log off. It then encrypts the data stored in the system via AES-256 or RSA encryption. “Each time LockerGoga encrypts a file, a registry key (HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session00{01-20}) is modified.” The encrypted files display modified file names with a ‘.locked’ extension. After encryption, it leaves the ransom note on the victim’s desktop. This note may display file name ‘README_LOCKED’ or ‘README-NOW’, depending on the malware variant. According to Pedro Tavares of SI-LAB, preventing LockerGoga attacks seems difficult as it evades detection by AV signature-based detection bypass. It also goes undetected by Microsoft Windows Defender. It targets a number of files types including spreadsheets, Word files, PowerPoint presentations, PDF files, database files, and videos. In addition, it can also encrypt JavaScript and Python files. Common Targets Include Business Firms LockerGoga can be considered a crypto-malware that primarily targets businesses. As stated by Tavares, it usually reaches a company’s IT systems via malicious emails and locks out users of the systems. “LockerGoga ransomware is a crypto-malware that loads the malicious file on the system from an infected email attachment.” Unlike most other ransomware, this malware neither exhibits a network, nor links back to a C&C server. Unlike Ryuk ransomware that also targets specific entities, LockerGoga does not show signs of data theft and network propagation. Following adverse data encryption and loss of connection, it demands ransom in Bitcoins. What’s noteworthy here is that the attackers do not specify the amount for the ransom. Rather they keep it variable by linking it with victim’s efficiency to contact them. Ransomware attacks targeting business firms can turn out to be extremely devastating. Such attacks, not only affect the victim’s IT infrastructure but may also cause them huge financial and data losses. Such instances also trigger unauthorized selling of data on the dark web since the attackers gain access to massive records at once. It is high time the organizations adopt robust security measures to protect their infrastructure. Not to forget creating awareness among the staff and training them for best cybersecurity practices. Source Link to comment Share on other sites More sharing options...
The AchieVer Posted March 26, 2019 Author Share Posted March 26, 2019 LockerGoga bug crashes ransomware before encrypting files Bug could be used to create (temporary) LockerGoga vaccines. Image: Kevin Beaumont LockerGoga, the ransomware that hit Norsk Hydro and two US chemical companies over the past month, contains a bug in its code that may allow victims to "vaccinate" their PCs and crash the ransomware before it encrypts any local files. The bug, discovered by security researchers at Alert Logic, is located in a LockerGoga subroutine that executes before the encryption process begins. The subroutine is a basic scan of all files on the victim's system, so the ransomware knows what files to encrypt and what to skip. Alert Logic researchers say that if LockerGoga encounters an LNK (shortcut) file that contains an invalid path, the ransomware's process crashes without performing the subsequent encryption. "We have identified two conditions for the '.lnk' file which would allow it to halt the ransomware in its tracks," the Alert Logic team said. "The '.lnk' file has been crafted to contain an invalid network path. The '.lnk' file has no associated RPC endpoint." This trick may allow antivirus vendors to create what they call a "vaccine" --an app that creates malformed LNK files on users' computers that prevent LockerGoga from running. However, this bug only offers temporary relief. The LockerGoga ransomware group is also bound to found out about it and patch it in a future version. TWO NEW LOCKERGOGA VICTIMS EMERGE LockerGoga is one of today's most dangerous ransomware strains. For the past three months, the ransomware has been deployed as part of highly targeted attacks against high-profile targets. Hackers breach large companies, and after they gain access to internal networks, they deploy LockerGoga to as many workstations as they can for maximum damage. French engineering firm Altran, Norwegian aluminum provider Norsk Hydro, and two US chemical firms, Hexion and Momentive, have reported infections so far --with news of the last two companies being hit emerging over the weekend. While Norsk Hydro said it wouldn't pay the ransom and instead restore infected computers from old backups, things haven't been rosy at Momentive. The company is said to have ordered new computers to replace the ones encrypted by LockerGoga, according to a Motherboard reportciting an employee. Source Link to comment Share on other sites More sharing options...
Image: Kevin Beaumont LockerGoga, the ransomware that hit Norsk Hydro and two US chemical companies over the past month, contains a bug in its code that may allow victims to "vaccinate" their PCs and crash the ransomware before it encrypts any local files. The bug, discovered by security researchers at Alert Logic, is located in a LockerGoga subroutine that executes before the encryption process begins. The subroutine is a basic scan of all files on the victim's system, so the ransomware knows what files to encrypt and what to skip. Alert Logic researchers say that if LockerGoga encounters an LNK (shortcut) file that contains an invalid path, the ransomware's process crashes without performing the subsequent encryption. "We have identified two conditions for the '.lnk' file which would allow it to halt the ransomware in its tracks," the Alert Logic team said. "The '.lnk' file has been crafted to contain an invalid network path. The '.lnk' file has no associated RPC endpoint." This trick may allow antivirus vendors to create what they call a "vaccine" --an app that creates malformed LNK files on users' computers that prevent LockerGoga from running. However, this bug only offers temporary relief. The LockerGoga ransomware group is also bound to found out about it and patch it in a future version. TWO NEW LOCKERGOGA VICTIMS EMERGE LockerGoga is one of today's most dangerous ransomware strains. For the past three months, the ransomware has been deployed as part of highly targeted attacks against high-profile targets. Hackers breach large companies, and after they gain access to internal networks, they deploy LockerGoga to as many workstations as they can for maximum damage. French engineering firm Altran, Norwegian aluminum provider Norsk Hydro, and two US chemical firms, Hexion and Momentive, have reported infections so far --with news of the last two companies being hit emerging over the weekend. While Norsk Hydro said it wouldn't pay the ransom and instead restore infected computers from old backups, things haven't been rosy at Momentive. The company is said to have ordered new computers to replace the ones encrypted by LockerGoga, according to a Motherboard reportciting an employee. Source
Recommended Posts
Archived
This topic is now archived and is closed to further replies.