Malware Minute: LockerGoga

Over the last two years, malware known as ransomware has grown significantly. One of the most famous of these was WannaCrypt, also notoriously known as WannCry, which used the eternalblue exploit developed by the NSA and kept secret before NSA data leaks. While WannaCry was crippled due to Marcus Hutchins’ (aka Malware Tech) discovery of a kill switch, this has not prevented other ransomware developers from continuing down the path that the original developers (possibly the Lazarus Group of Pyongyang) developed. Petya then notPetya became household names in the security world, and ransomware became a known threat to many businesses, as well as government agencies thus incentivizing operating systems and anti-virus companies to offer backup packages to subscribers.

  Since the beginning of the year, security researchers have been watching a newer strain of ransomware called LockerGoga. LockerGoga was first submitted to malware database VirusTotal on January 24, 2019 (Rashid, 2019). This specific malware targets the industrial and manufacturing industry, which is very different from other variants of ransomware such as NotPetya and WannaCry, and recently forced Norwegian aluminum manufacturer Norsk Hydro to switch to manual operations (Greenberg, 2019). Ransomware effects users by encrypting all the files on their computer’s hard drives, and delivering a ransom, to the user to pay a ransom, usually in bitcoin, to the developers to receive the encryption key that will decrypt all their files. If the ransom is not paid within a specific amount of time, the data is encrypted forever or wiped from the device. Many organizations that have fallen prey to these types of attacks would be forced to pay the ransom to continue operating unless they had proper off-site backups of their data (see SamSam ransomware and Atlanta, GA).

For the industrial and manufacturing industry ransomware can be very disruptive. According to threat researchers, this strain of malware is particularly disruptive by shutting down computers completely, locking out users, and even making it difficult to pay the ransoms (Greenberg, 2019). Researchers are still determining how LockerGoga is infecting its targets and spreading through networks, unlike similar ransomware, NotPetya and WannaCry, the malware does not have wormlike abilities (Rashid, 2019). MalewareHunterTeam has noted that that the target’s credentials seem to be known prior to initial infection, possibly through Phishing campaigns (Greenberg, 2019).

In many cases of a malware attack, like any development operation, the tools go under continual developments, refining processes and improving their capabilities. Palo Alto Networks’ security research team Unit 42 believes that the group behind LockerGoga is still refining the ransomware and are figuring out how to add command-and-control features by calling undocumented Windows APIs and manipulating dynamically linked windows libraries that handle network connections (Rashid, 2019).

LockerGoga proves the need for proper backups, security policies, and trainings of employees again. Norsk Hydro has declined to pay the ransom but will be looking at a payout in rebuilding in the upwards of 80 Million dollars, having already spent 40 Million in the last week (Rashid, 2019). The cost to recover from this type of attack is often more expensive than the attacks themselves and could easily cause a smaller organization to go bankrupt.

Works Cited

Greenberg, A. (2019). A Guide to LockerGoga, The ransomware Crippling Industrial Firms. WIRED. Retrieved on March 28, 2019, from https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

Rashid, F. (2019). Researchers Still Unraveling LockerGoga Ransomware. Decipher. Retrieved on March 28, 2019, from https://duo.com/decipher/researchers-still-unraveling-lockergoga-ransomware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s