KnowBe4 Security Awareness Training Blog

FBI Issues Alert For "Sleeper" LockerGoga and MegaCortex Ransomware

Written by Stu Sjouwerman | Dec 26, 2019 7:37:28 PM

The FBI has issued a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware.

Both LockerGoga and MegaCortex are ransomware infections that target the enterprise by compromising the network and then attempting to encrypt all its devices.

In an FBI Flash Alert marked as TLP:Amber and seen by BleepingComputer, the FBI is warning the private industry regarding the two ransomware infections and how they attack a network.

"Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands. The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting similar to LockerGoga."

Actors will be resident on the network for months

According to the alert, the actors behind LockerGoga and MegaCortex will gain a foothold on a corporate network using exploits, phishing attacks, SQL injections, and stolen login credentials.

Once a network is compromised, the threat actors will install the penetration testing tool called Cobalt Strike. This tool allows the attackers to deploy "beacons" on a compromised device to "create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system."

When a network is compromised, the actors will be resident on the network for months before they deploy the LockerGoga or MegaCortex ransomware infections.

While the FBI had not said what these attackers are doing during this period, the actors are probably exfiltrating data, deploying information-stealing trojans, and further compromising workstations and servers.

Once the network has been harvested of anything of value, the attackers will deploy the LockerGoga or MegaCortex infections so that they begin to encrypt the devices on the network. This will generate a final revenue source for the attackers.

During the ransomware deployment, the FBI states the actors will execute a kill.bat or stop.bat batch file that terminates processes and services related to security programs, disables Windows Defender scanning features, and disable security-related services.

Two things you obviously want to do is step users through new-school security awareness training, and the FBI recommends: "The most important mitigation provided by the FBI is to make sure you "backup data regularly, keep offline backups, and verify integrity of backup process." For other FBI-recommended mitigations check out the Bleepingcomputer post,