LockerGoga Ransomware

LockerGoga is a ransomware recently making headlines due to its disruptive effects on industrial and manufacturing firms’ networks. Its recent victims include the Norwegian aluminum manufacturer Norsk Hydro, French engineering consulting firm Altran, and U.S. chemical companies Hexion and MPM Holdings (Momentive). The ransomware does not target or infect ICS systems, but its debilitating effects on the business and production networks tied to these industrial systems result in costly production downtime. In the Norsk Hydro case, this involved temporarily moving to manual production. LockerGoga reportedly targets other sectors, although a disproportionate amount of victims reside in the industrial/manufacturing sector.

HunterTeam named the malware LockerGoga after discovering the name in a file path used for compiling source code into an executable. It also uses a .locked file extension for encrypted files.

At this time, the initial intrusion vector is unknown. The ransomware’s code is digitally signed using valid certificates which could let it evade security tools and get on systems. The certificates used in known attacks were revoked. The CTAs reportedly use Metasploit and Cobalt Strike to move laterally across a network. They also reportedly use the Mimikatz tool to pull passwords out of memory to compromise other accounts, including those with higher privileges.

It is believed that they then use admin level credentials to target an organization’s Active Directory for widespread ransomware deployment. LockerGoga reportedly does not have any self-propagation mechanisms, meaning that the malware itself cannot spread across the network and needs to be manually deployed. However, Palo Alto Networks Unit 42 reports they observed: “LockerGoga moving around a network via the server message block (SMB) protocol, which indicates the actors simply manually copy files from computer to computer.”

Cisco’s Talos group observed that some LockerGoga variants forcibly log victims off their devices. They are then unable to log back onto the device, which also means they may not see the ransom note.

LockerGoga reportedly does not use a command-and-control (C2) infrastructure for communication nor to generate encryption keys. This is a novel feature and the purpose might be to evade security tools that look for malicious C2 traffic.

Ransom note – Source – BleepingComputer

Indicators of Compromise

SHA-256

c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f
eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f
7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
C3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a

SHA-1

37cdd1e3225f8da596dc13779e902d8d13637360
b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b

MD5

06e3924a863f12f57e903ae565052271740c4096bd4b47c38a9604951383bcd1
276104ba67006897630a7bdaa22343944983d9397a538504935f2ec7ac10b534
14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca
050b4028b76cd907aabce3d07ebd9f38e56c48c991378d1c65442f9f5628aa9e
f474a8c0f66dee3d504fff1e49342ee70dd6f402c3fa0687b15ea9d0dd15613a
ffab69deafa647e2b54d8daf8c740b559a7982c3c7c1506ac6efc8de30c37fd5
31fdce53ee34dbc8e7a9f57b30a0fbb416ab1b3e0c145edd28b65bd6794047c1
ae7e9839b7fb750128147a9227d3733dde2faacd13c478e8f4d8d6c6c2fc1a55
47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4
1f9b5fa30fd8835815270f7951f624698529332931725c1e17c41fd3dd040afe
c1670e190409619b5a541706976e5a649bef75c75b4b82caf00e9d85afc91881
7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125
e00a36f4295bb3ba17d36d75ee27f7d2c20646b6e0352e6d765b7ac738ebe5ee
9128e1c56463b3ce7d4578ef14ccdfdba15ccc2d73545cb541ea3e80344b173c
79c11575f0495a3daaf93392bc8134c652360c5561e6f32d002209bc41471a07
32d959169ab8ad7e9d4bd046cdb585036c71380d9c45e7bb9513935cd1e225b5
6d8f1a20dc0b67eb1c3393c6c7fc859f99a12abbca9c45dcbc0efd4dc712fb7c
a845c34b0f675827444d6c502c0c461ed4445a00d83b31d5769646b88d7bbedf

Email Addresses

[email protected][.]pl
[email protected][.]com
[email protected][.]com
[email protected][.]pl
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]pl
[email protected][.]com
[email protected][.]com
[email protected][.]pl
[email protected][.]pl

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: