Recently, Lockergoga ransomware made it to the news after repeated attacks on different organizations. The ransomware first became known after attacking Altran Technologies in January 2019. Then, a couple of days ago, a well-known aluminum producer Norsk Hydro suffered a cyber attack. Initial reports have revealed that the firm faced a LockerGoga attack. In both instances, the ransomware compelled the victim firms to shut down their IT operations.
Following the recurrences of ransomware attack and the involvement of LockerGoga, the cybersecurity experts have started unveiling the details of this ransomware. Here we share brief details about the malware.
LockerGoga Ransomware
As revealed in the malware analysis by Trend Micro, LockerGoga is feisty ransomware that disables WiFi or Ethernet adapters of the target systems, making them lose connection. (Possibly the reason why the victims of this ransomware attack faced IT shut down.) As explained by Trend Micro regarding is propagation,
“LockerGoga enumerates the infected system’s Wi-Fi and/or Ethernet network adapters. It will then attempt to disable them through the CreateProcessWfunction via command line (netsh.exe interface set interface DISABLE) to disconnect the system from any outside connection.”
After being installed on the victim machine, the ransomware changes the passwords of user accounts, causing them to log off. It then encrypts the data stored in the system via AES-256 or RSA encryption.
“Each time LockerGoga encrypts a file, a registry key (HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session00{01-20}) is modified.”
The encrypted files display modified file names with a ‘.locked’ extension. After encryption, it leaves the ransom note on the victim’s desktop. This note may display file name ‘README_LOCKED’ or ‘README-NOW’, depending on the malware variant.
According to Pedro Tavares of SI-LAB, preventing LockerGoga attacks seems difficult as it evades detection by AV signature-based detection bypass. It also goes undetected by Microsoft Windows Defender.
It targets a number of files types including spreadsheets, Word files, PowerPoint presentations, PDF files, database files, and videos. In addition, it can also encrypt JavaScript and Python files.
Common Targets Include Business Firms
LockerGoga can be considered a crypto-malware that primarily targets businesses. As stated by Tavares, it usually reaches a company’s IT systems via malicious emails and locks out users of the systems.
“LockerGoga ransomware is a crypto-malware that loads the malicious file on the system from an infected email attachment.”
Unlike most other ransomware, this malware neither exhibits a network, nor links back to a C&C server. Unlike Ryuk ransomware that also targets specific entities, LockerGoga does not show signs of data theft and network propagation.
Following adverse data encryption and loss of connection, it demands ransom in Bitcoins. What’s noteworthy here is that the attackers do not specify the amount for the ransom. Rather they keep it variable by linking it with victim’s efficiency to contact them.
Ransomware attacks targeting business firms can turn out to be extremely devastating. Such attacks, not only affect the victim’s IT infrastructure but may also cause them huge financial and data losses. Such instances also trigger unauthorized selling of data on the dark web since the attackers gain access to massive records at once. It is high time the organizations adopt robust security measures to protect their infrastructure. Not to forget creating awareness among the staff and training them for best cybersecurity practices.