SEVERITY: Cyber Crime
New LockerGoga Ransomware has been found mainly in a cyber attack on the French engineering consultancy, Altran Technologies.
The distribution method of this Ransomware is not clear yet. Once the ransomware is executed, it targets DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF ﬁles. Samples for this ransomware have been uploaded from Romania and Netherlands whereas its victims have been observed in ﬁve diﬀerent countries.
The ransomware can spread laterally through network connections and network shares, resulting in widespread ﬁle encryption. Some researchers declared it a sloppy, slow ransomware that doesn’t aim to evade detection. Security researchers informed that the ransomware spawned a new process for each ﬁle it encrypted, making the encryption process to be very slow. Once it has encrypted ﬁles, it appends the extension .locked to encrypted ﬁles and leaves a ransom note on the desktop like this:
Bleeping Computer suggests that the ﬁrst rule of Security Researcher V should be considered while trying to detect the family of infections using Yara, in order to save organizations from the LockerGoga Ransomware.
INDICATORS OF COMPROMISE
Malware Hash (MD5/SHA1/SH256)
Block the threat indicators at their respective controls and keep your systems up-to-date. Since the attack vector is still unknown, using products with vulnerabilities increases risk of attack by a malicious entity.