Rewterz Threat Alert – New LockerGoga Ransomware used in Cyber Attacks in Multiple Countries

CATEGORY: Medium

SEVERITY: Cyber Crime

ANALYSIS SUMMARY

New LockerGoga Ransomware has been found mainly in a cyber attack on the French engineering consultancy, Altran Technologies.

The distribution method of this Ransomware is not clear yet. Once the ransomware is executed, it targets DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files. Samples for this ransomware have been uploaded from Romania and Netherlands whereas its victims have been observed in five different countries.

The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption. Some researchers declared it a sloppy, slow ransomware that doesn’t aim to evade detection. Security researchers informed that the ransomware spawned a new process for each file it encrypted, making the encryption process to be very slow. Once it has encrypted files, it appends the extension .locked to encrypted files and leaves a ransom note on the desktop like this:

Bleeping Computer suggests that the first rule of Security Researcher V should be considered while trying to detect the family of infections using Yara, in order to save organizations from the LockerGoga Ransomware.

INDICATORS OF COMPROMISE

Filename

• worker32
• bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f_wQkb8SOVnc[.]
• bin svch0st[.]5817[.]exe
• svch0st[.]11077[.]exe

Email Address

• CottleAkela[@]protonmail[.]com
• QyavauZehyco1994[@]o2[.]pl

Malware Hash (MD5/SHA1/SH256)

• bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
• 52340664fe59e030790c48b66924b5bd 73171ffa6dfee5f9264e3d20a1b6926ec1b60897

REMEDIATION

Block the threat indicators at their respective controls and keep your systems up-to-date. Since the attack vector is still unknown, using products with vulnerabilities increases risk of attack by a malicious entity.