LockerGoga Ransomware Description
While security researchers have expected ransomware attacks to slow down in 2019, recent ransomware outbreaks remind us that we must remain ever vigilant. One such outbreak that made headlines involved a ransomware known as LockerGoga. The ransomware targeted Norwegian manufacturing company Norsk Hydro, one of the world's top aluminum producers, forcing it to halt operations in multiple factories. This severely hindered the company's production and caused its stocks to fall by 0.8 percent. It is also suspected that a variant of LockerGoga was used to target French engineering company Altran Technologies earlier in January.
Ransomware is a type of malware that encrypts the files of a computer system to extort a ransom from its target. There are multiple families of ransomware and an even higher number of variants within each of those families. Each of them uses a different set of tools and libraries to infect and encrypt a system. The ransomware in question, LockerGoga, was developed using C++ and implements the Crypto++ library for its encryption operations and the Boost library to manage system processes.
It is not yet known what vector the malware uses to infect a system. In the case of Altra Technologies, forensics suggest that the infection occurred through a phishing attack. It is also possible that the targeted network was already compromised through other hacking methods, creating a backdoor to drop the malware's payload. The executable also has a signed certificate issued by Sectigo. As of now, these certificates have been revoked.
Once in the system, LockerGoga uses a renamed version of the system administration tool PsEXEC to execute the payload. It is unknown how the malware spreads within a network; however, researchers believe that it spreads by using stolen remote desktop protocol (RDP). This would mean that the malware can spread from an infected terminal to others within the network.
When LockerGoga's code is executed, it will issue a command in the command line to relocate it to the TEMP folder and renames itself with a random number. The ransomware will then run two additional commands that use the Boost library to create a master process that enumerates files in the system and multiple child processes tasked with the encryption of data. The user will then be presented with a ransom note containing instructions on how to contact and pay the bad actor to decrypt the system.
Figure 1. LockerGoga Ransom Note
After the encryption process is done, the encrypted files will have ".locked" extension appended to them. LockerGoga targets the following file extensions in a system:
.doc, .dot, .pot, .ppsx, .pptx, .posx, .potx, .sldx, .pdf, .db, .sql, .cs, .ts, .js, .py, .docb, .dotx, .docx, .xlt, .xltx, .xlsb, .xlw, .ppt, .pps, .wkb, .xlm, .xml, .xls, .xlsx.
While LockerGoga targets these particular extensions, it can encrypt any file in a hard drive. LockerGoga will also block outside network connections by disabling any Wi-Fi or Ethernet adaptors on the system. Specific variants of the ransomware, such as the one used at Norsk Hydro, will also log out all users and change their passwords to "HuHuHUHoHo283283@dJD".
A variation of the LockerGoga ransom note is as follows:
There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore your data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.
To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.
To get information on the price of the decoder contact us at:
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security
While some variants of LockerGoga seek to make a profit at their victim's expense, later variants seem only interested in disrupting operations by permanently "bricking" the system. This is done by encrypting the Boot Manager on windows systems which would render the machine inoperable and unable to display ransom notes with instructions for decryption.
Figure 2. Newer variants of LockerGoga can encrypt Windows Boot Manager and render the computer inoperable.
As in every case involving ransomware, it is not recommended for companies and individuals to pay up the ransom since it incentivizes cybercriminals to keep conducting these malware campaigns. Furthermore, there is no assurance that the perpetrators will decrypt the system. Having up-to-date back-ups of all your data along with good cybersecurity policies is the best way to combat ransomware incidents.
Do You Suspect Your PC May Be Infected with LockerGoga Ransomware & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like LockerGoga Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.