Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



11:30 AM
Larry Loeb
Larry Loeb
Larry Loeb

Investigation Into LockerGoga Ransomware Finds Flaws in the Code

Preliminary analysis of LockerGoga shows it has, in its current forms, limited ability to spread in a network.

LockerGoga is ransomware that has recently affected some high-profile industrial manufacturers like Norse Hydro, Hexicon and Momentive.

Preliminary analysis of it shows it has, in its current forms, limited ability to spread in a network. Some analysts think that it spreads within a company by leveraging Active Directory. Some think that it may use the server message block (SMB) protocol, which would mean that the ransomware manually copies files from computer to computer. But Palo Alto Networks has found 31 variants of the code thus far, so there is always the possibility that other means may be employed.

The malware seems to be more sophisticated than other ransomware due to its use of undocumented Windows API calls.

But it's not perfect.

Alert Logic found some rather interesting characteristics about the malware that it posted on its blog. They admit that they are not sure if what they found is true for all the variants in the wild, but is certainly worth consideration.

They found that, "Once the ransomware becomes resident on the victim host, it performs an initial reconnaissance scan to gather file lists before it executes its encryption routine. One type of file it may come across is the '.lnk' file extension -- a shortcut used in Windows to link files. When it encounters a '.lnk' file it will utilize the built-in shell32 / linkinfo DLLs to resolve the '.lnk' path. However, if this '.lnk' path has one of a series of errors in it, then it will raise an exception—an exception which the malware does not handle." This causes direct effects. Namely, if the malware does not handle an exception, it will be terminated by the operating system. That is standard behavior.

That means that in this case the malware stops before it encrypts, since the file review process is done first. The malware file will still be present on the victim machine, but it will be inert.

Alert Logic found a .lnk file will stop the malware if it is resident in the "Recent Items" folder and if it has been crafted to contain an invalid network path. Also, the ".lnk" file should have no associated RPC endpoint.

So, creating a malformed .lnk path can inoculate against some of the variants of this ransomware. It won't protect against whatever method was used by the ransomware to gain a foothold on the system, so that must also be performed.

Cisco Talos found that some of the newer variants of the malware will forcibly log the victim off from the infected system as well as remove their ability to log back in following the encryption process. They cannot then attempt to comply with any ransom demands. This variant should be considered destructive.

It can only be hoped that the threat actors do not learn from their mistake and come up with a way to perform exception handling in a newer version. But for the moment, this is a way to put up roadblocks in the ransomware's path.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
PUBLISHED: 2020-07-13
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...