[SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies

Pierluigi Paganini March 21, 2019

LockerGoga is the most active ransomware, experts warns it focuses on targeting companies and bypass AV signature-based detection.

LockerGoga ransomware is a crypto-malware that loads the malicious file on the system from an infected email attachment.

This threat is very critical these days, and it is the most active ransomware that focuses on targeting companiesAltran and Norsk Hydro are two companies severely affected this wave and the damage is giant.

Altran said on Monday it had shut down its IT network and applications and a recovery plan was under way.

On the other hand, the aluminum giant, Norway’s Norsk Hydro, said on Tuesday 19th, it was hit by a ransomware called LockerGoga.

“Hydro became victim of an extensive cyberattack in the early hours of Tuesday, impacting operations in several of the company’s business areas,” reads a statement issued by the company.

The first public mention related to Altran cyber attack was seen in a tweet on January 25th, which received a reply from a computer security researcher who hinted that a malware sample that was uploaded to VirusTotal was behind the attack.ù

The aluminum giant was also heavily impacted, with notes left by the security department for collaborators to keep their computers and mobile devices disconnected from Hydro network.

1

This ransomware’s name is based on the path used for compiling the source code into an executable that was discovered by MalwareHunterTeam.

  1. X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\rijndael_simd.cpp

According to Recorded Future graphic, and illustrated below, LockerGoga was first observed on January 24th in Romania and later in the Netherlands. The first big hit was noted in Altran attack, and now, the Norway’s Norsk Hydro also view its infrastructure severely compromised by this ransomware.

2

During the SI-LAB analysis, this ransomware bypass AV signature-based detection —  a sample  with a score of 0/69 was submitted to VirusTotal on March 8th, 2019 and nothing was detected.

3

In addition, the ransomware has also not been detected by Microsoft Windows Defender. This means that any company within the attacker’s scope could be compromised by crooks.

Note that ransomware is probably detected during antivirus behavioral analysis — heuristic and signature-based detection are easily passed.

The threat is signed with a valid digital certificate. It’s issued by Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

4

SI-LAB observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

If the ransomware is launched with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

All the encrypted files are renamed and the extension “.locker” is appended.

After encryption, it will drop a ransom note named README-NOW.txt on the victim’s desktop, which includes instructions to contact the [email protected] or [email protected] email addresses for payment instructions.

6

Users who receive this kind of threats need to pay attention and report the situation as fast as possible. As seen, this ransomware can easily bypass AV protections and a bad choice can compromise an entire infrastructure impacting the lives of hundreds of people.

More details about LockerGoga below in Technical Analysis.

Technical Analysis – LockerGoga


File name: yxugwjud6698.exe
Threat: LockerGoga ransomware
Ransom note: README-NOW.txt
File Extension: .locked
Encryption Algorithm: RSA-4096 and AES-256
MD5: eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0


LockerGoga ransomware is a ransomware that was initially discovered after attacks were launched against European companies, such as Altran Technologies in France and and also Norsk Hydro.

SI-LAB observed this ransomware and noted that a sample submitted onto VirusTotal at 19-03-08 12:43:50 UTC was not classified as malicious.

Figure 1: LockerGoga ransomware  not detected by VirusTotal.

This threat was also noted by MalwareHunterTeam. In a tweet is mentioned the following:

As shown, after a few hours, some detentions were already marked in VirusTotal, which indicates this ransomware was probably detected through a behavioral analysis by AV engines.

Figure 2: LockerGoga detections by VirusTotal.

At a first glance this ransomware seems to be a FUD malware. Let’s look.

Windows Defender does not detect LockerGoga

We run the malware on a virtual machine with Windows 10 installed and no malicious activity was detected by Microsoft antivirus on March, 12th. More, we perform a single scan with Windows Defender directly and no suspicious activity has been flagged as well.

Figure 3: LockerGoga does not detected by Windows Defender.

As shown in Figure 4, no suspicious sections were noted but some details need to be mentioned, namely:

  1. The ransomware is signed;
  2. It is packed;
  3. LockerGoga has associated mutex activities;
  4. It has anti-debut and antiVM protections.

Figure 4: First LockerGoga fingerprint.

In detail, we can see that known functions used in antivm and antidebug processes are called during its execution, such as GetLastError();IsDebuggerPresent and OutputDebugStringA().

Another important aspect is that the ransomware was built in Microsoft Visual C++ 8 — a programming language widely used by threat actors and perfect for handling system calls at the lowest level.

The malware requires admin rights to run. Then, it need to use requireAdministrator. When a standard user starts such a process, the over-the-shoulder UAC dialog is shown. That gives the user an opportunity to ask an admin to supply their credentials.

Figure 5: Admin right required when malware is executed.

Looking at IDA, we can detected that LockerGoga uses AES-256 and RSA to encrypt all the targeted files from the victims’ devices.

Figure 6: Cryptographic functions used by LockerGoga.

SI-LAB also observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

This ransomware is signed by Sectigo, Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

14

Figure 7: This ransomware is signed by Sectigo, Comodo Certificate Authority.

Behavior Analysis

When executed, the ransomware starts with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

Figure 8: Malware launches several copies itself to encrypt targeted files.

The ransomware will append the .locked extension to encrypted file’s names. This means that a file named readme.txt would be encrypted and then renamed to readme.txt.locked.

5

Figure 8: Files encrypted by LockerGoga — .locked extension is appended.

After encryption, it will drop a ransom note named README-NOW.txt on the desktop, which includes instructions to contact the [email protected] or [email protected] email addresses for payment instructions.

6

Figure 9: Ransom note drooped by malware in user’s desktop.

After a memory analysis, no RSA or AES keys were noted in order to decrypt the targeted files. Nonetheless, good news for victims, the ransomware don’t affects Windows shadow copies.

Final Notes

In the recent past, several variants this ransomware have been noted. That way, it’s important for users and businesses to have their antivirus fully updated with recent malware signatures.

SI-LAB also has available a YARA rule which allows a more effective scan to detect threats this nature.

Further technical details, including Indicators of Compromise (IoCs) and Yara rules are reported in the analysis published by Pedro Tavares:

About the author Pedro Tavares:

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog segurancainformatica.pt.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – LockerGoga, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment