Rewterz Threat Alert – New LockerGoga Ransomware used in Cyber Attacks in Multiple Countries

Thursday, January 31, 2019

CATEGORY: Medium

 

 

SEVERITY: Cyber Crime

 

 

ANALYSIS SUMMARY

 

New LockerGoga Ransomware has been found mainly in a cyber attack on the French engineering consultancy, Altran Technologies.

 

The distribution method of this Ransomware is not clear yet. Once the ransomware is executed, it targets DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files. Samples for this ransomware have been uploaded from Romania and Netherlands whereas its victims have been observed in five different countries.

 

The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption. Some researchers declared it a sloppy, slow ransomware that doesn’t aim to evade detection. Security researchers informed that the ransomware spawned a new process for each file it encrypted, making the encryption process to be very slow. Once it has encrypted files, it appends the extension .locked to encrypted files and leaves a ransom note on the desktop like this:

 

 

 

 

Bleeping Computer suggests that the first rule of Security Researcher V should be considered while trying to detect the family of infections using Yara, in order to save organizations from the LockerGoga Ransomware.

 

 

INDICATORS OF COMPROMISE

 

 

Filename

 

  • worker32
  • bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f_wQkb8SOVnc[.]
  • bin svch0st[.]5817[.]exe
  • svch0st[.]11077[.]exe

 

 

Email Address

 

  • CottleAkela[@]protonmail[.]com
  • QyavauZehyco1994[@]o2[.]pl

 

 

Malware Hash (MD5/SHA1/SH256)

 

  • bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
  • 52340664fe59e030790c48b66924b5bd 73171ffa6dfee5f9264e3d20a1b6926ec1b60897

 

 

REMEDIATION

 

Block the threat indicators at their respective controls and keep your systems up-to-date. Since the attack vector is still unknown, using products with vulnerabilities increases risk of attack by a malicious entity.

 

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 12, February 2019 Rewterz Threat Alert – Phishing Campaign Targeting Bank Employees in Pakistan, Forging Zimbra
  • 11, February 2019 Rewterz Threat Alert -Malware Campaign Hides Ransomware in Super Mario Wrapper
  • 11, February 2019 Rewterz Threat Alert – New Linux coin miner kills competing malware to maximize profits
  • 8, February 2019 Rewterz Threat Advisory -CVE-2018-11803 – Apache Subversion Denial of Service Vulnerability

Copyright © Rewterz. All rights reserved.