Reading Time: 6 minutes
LockerGoga is the most active ransomware that focuses on targeting companies and bypass AV signature-based detection.

LockerGoga ransomware is a crypto-malware that loads the malicious file on the system from an infected email attachment.

This threat is very critical these days, and it is the most active ransomware that focuses on targeting companies. Altran and Norsk Hydro are two companies severely affected this wave and the damage is giant.

Altran said on Monday it had shut down its IT network and applications and a recovery plan was under way.

 

On the other hand, the aluminum giant, Norway’s Norsk Hydro, said on Tuesday 19th, it was hit by a ransomware called LockerGoga.

“Hydro became victim of an extensive cyberattack in the early hours of Tuesday, impacting operations in several of the company’s business areas,” reads a statement issued by the company.

 

The first public mention related to Altran cyber attack was seen in a tweet on January 25th, which received a reply from a computer security researcher who hinted that a malware sample that was uploaded to VirusTotal was behind the attack.

 

The aluminum giant was also heavily impacted, with notes left by the security department for collaborators to keep their computers and mobile devices disconnected from Hydro network.

1

 

This ransomware’s name is based on the path used for compiling the source code into an executable that was discovered by MalwareHunterTeam.

X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\rijndael_simd.cpp

 

According to Recorded Future graphic, and illustrated below, LockerGoga was first observed on January 24th in Romania and later in the Netherlands. The first big hit was noted in Altran attack, and now, the Norway’s Norsk Hydro also view its infrastructure severely compromised by this ransomware.

2

 

During the SI-LAB analysis, this ransomware bypass AV signature-based detection — a sample  with a score of 0/69 was submitted to VirusTotal on March 8th, 2019 and nothing was detected.

3

 

In addition, the ransomware has also not been detected by Microsoft Windows Defender. This means that any company within the attacker’s scope could be compromised by crooks.

Note that ransomware is probably detected during antivirus behavioral analysis — heuristic and signature-based detection are easily passed.

The threat is signed with a valid digital certificate. It’s issued by Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

4

 

SI-LAB observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

If the ransomware is launched with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

All the encrypted files are renamed and the extension “.locker” is appended.

 

After encryption, it will drop a ransom note named README-NOW.txt on the victim’s desktop, which includes instructions to contact the [email protected] or [email protected] email addresses for payment instructions.

6

 

Users who receive this kind of threats need to pay attention and report the situation as fast as possible. As seen, this ransomware can easily bypass AV protections and a bad choice can compromise an entire infrastructure impacting the lives of hundreds of people.

More details about LockerGoga below in Technical Analysis.

 

 

Technical Analysis – LockerGoga


File name: yxugwjud6698.exe
Threat: LockerGoga ransomware
Ransom note: README-NOW.txt
File Extension: .locked
Encryption Algorithm: RSA-4096 and AES-256
MD5: eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0


 

LockerGoga ransomware is a ransomware that was initially discovered after attacks were launched against European companies, such as Altran Technologies in France and and also Norsk Hydro.

SI-LAB observed this ransomware and noted that a sample submitted onto VirusTotal at 19-03-08 12:43:50 UTC was not classified as malicious.

Figure 1: LockerGoga ransomware  not detected by VirusTotal.

 

This threat was also noted by MalwareHunterTeam. In a tweet is mentioned the following:

As shown, after a few hours, some detentions were already marked in VirusTotal, which indicates this ransomware was probably detected through a behavioral analysis by AV engines.

Figure 2: LockerGoga detections by VirusTotal.

 

At a first glance this ransomware seems to be a FUD malware. Let’s look.

 

Windows Defender does not detect LockerGoga

We run the malware on a virtual machine with Windows 10 installed and no malicious activity was detected by Microsoft antivirus on March, 12th. More, we perform a single scan with Windows Defender directly and no suspicious activity has been flagged as well.

Figure 3: LockerGoga does not detected by Windows Defender.

 

As shown in Figure 4, no suspicious sections were noted but some details need to be mentioned, namely:

  1. The ransomware is signed;
  2. It is packed;
  3. LockerGoga has associated mutex activities;
  4. It has anti-debut and antiVM protections.

 

Figure 4: First LockerGoga fingerprint.

 

In detail, we can see that known functions used in antivm and antidebug processes are called during its execution, such as GetLastError();, IsDebuggerPresent and OutputDebugStringA().

Another important aspect is that the ransomware was built in Microsoft Visual C++ 8 — a programming language widely used by threat actors and perfect for handling system calls at the lowest level.

The malware requires admin rights to run. Then, it need to use requireAdministrator. When a standard user starts such a process, the over-the-shoulder UAC dialog is shown. That gives the user an opportunity to ask an admin to supply their credentials.

Figure 5: Admin right required when malware is executed.

 

Looking at IDA, we can detected that LockerGoga uses AES-256 and RSA to encrypt all the targeted files from the victims’ devices.

Figure 6: Cryptographic functions used by LockerGoga.

 

SI-LAB also observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

This ransomware is signed by Sectigo, Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

14

Figure 7: This ransomware is signed by Sectigo, Comodo Certificate Authority.

 

 

Behavior Analysis

When executed, the ransomware starts with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

Figure 8: Malware launches several copies itself to encrypt targeted files.

 

The ransomware will append the .locked extension to encrypted file’s names. This means that a file named readme.txt would be encrypted and then renamed to readme.txt.locked.

5

Figure 8: Files encrypted by LockerGoga — .locked extension is appended.

 

After encryption, it will drop a ransom note named README-NOW.txt on the desktop, which includes instructions to contact the [email protected] or [email protected] email addresses for payment instructions.

6

Figure 9: Ransom note drooped by malware in user’s desktop.

 

After a memory analysis, no RSA or AES keys were noted in order to decrypt the targeted files. Nonetheless, good news for victims, the ransomware don’t affects Windows shadow copies.

 

Final Notes

In the recent past, several variants this ransomware have been noted. That way, it’s important for users and businesses to have their antivirus fully updated with recent malware signatures.

SI-LAB also has available a YARA rule which allows a more effective scan to detect threats this nature.

 

 

Indicators of Compromise (IOC)

File name: yxugwjud6698.exe
Threat: LockerGoga ransomware
Ransom note: Reader-Now.txt
File Extension: .locked
Encryption Algorithm: RSA-4096 and AES-256
MD5: eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0

 

Hash
eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
bef41d3c76aa98e774ca0185eb5d37da7bf128e3d855ebc699fed90f3988c7d3
5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c
6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77
c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4
c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a
f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192
b8dedd74f8f474c97d53d313eb5a61d09fc020e91aa09c36711bac5cc123b6d7 (Ransom Note)

Associated email addresses
[email protected]
[email protected]

Ransom Note Text:

Greetings!

There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data. 
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.

To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.

The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security

To get information on the price of the decoder contact us at:
[email protected]
[email protected]" (Source: README_LOCKED.txt, Indicator: "files are encrypted")
"Your files are encrypted with the strongest military algorithms RSA4096 and AES-256." (Source: README_LOCKED.txt, Indicator: "files are encrypted")

 

Yara Rule

rule LockerGoga {
   meta:
      description = "LockerGoga Ransomware - March Version"
      author = "SI-LAB - https://seguranca-informatica.pt"
      last_updated = "2019-03-01"
      tlp = "white"
      category = "informational"

   strings:
      $ransom_1 = "You should be thankful that the flaw was exploited by serious people and not some rookies." wide ascii nocase
      $ransom_2 = "Your files are encrypted with the strongest military algorithms RSA4096 and AES-256" wide ascii nocase
      $str = "(readme-now" wide ascii nocase
      $mlcrosoft = "Mlcrosoft" wide ascii nocase
      $cert = {  1D A2 48 30 6F 9B 26 18 D0 82 E0 96 7D 33 D3 6A } //  Sectigo RSA Code Signing CA
  
   condition:
      3 of them
}

 

Yara rule also available here on GitHub.