Jump to content

LockerGoga Ransomware – Another Threat To Businesses

The AchieVer

Recommended Posts

The AchieVer

LockerGoga Ransomware – Another Threat To Businesses 

Link to comment
Share on other sites

  • Replies 1
  • Views 343
  • Created
  • Last Reply
The AchieVer

LockerGoga bug crashes ransomware before encrypting files

Bug could be used to create (temporary) LockerGoga vaccines.

LockerGoga ransom note


Image: Kevin Beaumont

LockerGoga, the ransomware that hit Norsk Hydro and two US chemical companies over the past month, contains a bug in its code that may allow victims to "vaccinate" their PCs and crash the ransomware before it encrypts any local files.


The bug, discovered by security researchers at Alert Logic, is located in a LockerGoga subroutine that executes before the encryption process begins.

The subroutine is a basic scan of all files on the victim's system, so the ransomware knows what files to encrypt and what to skip.


Alert Logic researchers say that if LockerGoga encounters an LNK (shortcut) file that contains an invalid path, the ransomware's process crashes without performing the subsequent encryption.

"We have identified two conditions for the '.lnk' file which would allow it to halt the ransomware in its tracks," the Alert Logic team said. "The '.lnk' file has been crafted to contain an invalid network path. The '.lnk' file has no associated RPC endpoint."


This trick may allow antivirus vendors to create what they call a "vaccine" --an app that creates malformed LNK files on users' computers that prevent LockerGoga from running.


However, this bug only offers temporary relief. The LockerGoga ransomware group is also bound to found out about it and patch it in a future version.



LockerGoga is one of today's most dangerous ransomware strains. For the past three months, the ransomware has been deployed as part of highly targeted attacks against high-profile targets.

Hackers breach large companies, and after they gain access to internal networks, they deploy LockerGoga to as many workstations as they can for maximum damage.


French engineering firm Altran, Norwegian aluminum provider Norsk Hydro, and two US chemical firms, Hexion and Momentive, have reported infections so far --with news of the last two companies being hit emerging over the weekend.


While Norsk Hydro said it wouldn't pay the ransom and instead restore infected computers from old backups, things haven't been rosy at Momentive.

The company is said to have ordered new computers to replace the ones encrypted by LockerGoga, according to a Motherboard reportciting an employee.






Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...