Ransomware Resource: Security Primer on LockerGoga

If you're a regular reader, then you know we love to share resources that help cybersecurity leaders and teams (that is, you) keep organizations secure.

It's the reason SecureWorld recently wrote about a growing list of free ransomware decryption keys.

And it's why we are letting you know about a new Security Primer on LockerGoga ransomware, published by the Multi-State ISAC.

LockerGoga ransomware, as you may know, has been causing industrial-sized heartburn on multiple continents this year.

This includes interrupted operations at global aluminum and energy giant Norsk Hydro, French engineering consulting firm Altran, and U.S. chemical companies Hexion and MPM Holdings (Momentive).

Losses for Norsk Hydro, alone, are likely at $40 million and rising.

MS-ISAC update on LockerGoga ransomware

Here are a few highlights from the security update on LockerGoga in 2Q 2019:

• The ransomware's code is digitally signed using valid certificates which could let it evade security tools and get on systems.
• The CTAs reportedly use Metasploit and Cobalt Strike to move laterally across a network. They also reportedly use the Mimikatz tool to pull passwords out of memory to compromise other accounts, including those with higher privileges.
• The malware is dropped in the %TEMP% folder with random number extensions, such as the following:
  • %TEMP%\svc{random}.{randomnumber}.exe
  • executed as %TEMP%\svc{random}.{random number}.exe -{random} -{random} {random}
  • Example: %TEMP%\tgytutrc{4 Random Numbers}.exe
• LockerGoga then attempts to clear the Windows event logs, creates the ransom note, and begins the encryption process.

Here is the MS-ISAC Security Primer on LockerGoga ransomware for additional details on this variant. And you might also want to scan the best practices to mitigate ransomware risks.

And if you're interested in joining the InfoSec discussion on both persistent and emerging threats, check out your region's SecureWorld conference in 2019.