Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

3/27/2019
11:30 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Investigation Into LockerGoga Ransomware Finds Flaws in the Code

Preliminary analysis of LockerGoga shows it has, in its current forms, limited ability to spread in a network.

LockerGoga is ransomware that has recently affected some high-profile industrial manufacturers like Norse Hydro, Hexicon and Momentive.

Preliminary analysis of it shows it has, in its current forms, limited ability to spread in a network. Some analysts think that it spreads within a company by leveraging Active Directory. Some think that it may use the server message block (SMB) protocol, which would mean that the ransomware manually copies files from computer to computer. But Palo Alto Networks has found 31 variants of the code thus far, so there is always the possibility that other means may be employed.

The malware seems to be more sophisticated than other ransomware due to its use of undocumented Windows API calls.

But it's not perfect.

Alert Logic found some rather interesting characteristics about the malware that it posted on its blog. They admit that they are not sure if what they found is true for all the variants in the wild, but is certainly worth consideration.

They found that, "Once the ransomware becomes resident on the victim host, it performs an initial reconnaissance scan to gather file lists before it executes its encryption routine. One type of file it may come across is the '.lnk' file extension -- a shortcut used in Windows to link files. When it encounters a '.lnk' file it will utilize the built-in shell32 / linkinfo DLLs to resolve the '.lnk' path. However, if this '.lnk' path has one of a series of errors in it, then it will raise an exception—an exception which the malware does not handle." This causes direct effects. Namely, if the malware does not handle an exception, it will be terminated by the operating system. That is standard behavior.

That means that in this case the malware stops before it encrypts, since the file review process is done first. The malware file will still be present on the victim machine, but it will be inert.

Alert Logic found a .lnk file will stop the malware if it is resident in the "Recent Items" folder and if it has been crafted to contain an invalid network path. Also, the ".lnk" file should have no associated RPC endpoint.

So, creating a malformed .lnk path can inoculate against some of the variants of this ransomware. It won't protect against whatever method was used by the ransomware to gain a foothold on the system, so that must also be performed.

Cisco Talos found that some of the newer variants of the malware will forcibly log the victim off from the infected system as well as remove their ability to log back in following the encryption process. They cannot then attempt to comply with any ransom demands. This variant should be considered destructive.

It can only be hoped that the threat actors do not learn from their mistake and come up with a way to perform exception handling in a newer version. But for the moment, this is a way to put up roadblocks in the ransomware's path.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...