Technically, LockerGoga is just another ransomware strain and not even a very good one. It's got bugs and it's slow. However, the gang behind it represents a dangerous combination of aggressive disruption and high-stakes targets.
Since the beginning of 2019, the LockerGoga gang has focused on industrial and manufacturing firms: French engineering consulting firm Altran, Norwegian aluminum manufacturer Norsk Hydro, and a few days ago chemical companies, Hexion and Momentive. And those are only the ones in the news as there are quite a few more.
How They Are Getting In
It's not clear yet how the LockerGoga gang gains initial access, but they seem to already know targets' credentials at the start of an intrusion, perhaps thanks to phishing attacks or by simply buying exposed RDP creds on the dark web. Once they have an initial foothold, they use the common hacking toolkits Metasploit and Cobalt Strike to move to other computers on the network and also exploit the program Mimikatz, which can pull traces of passwords out of the memory of Windows machines and allow them to gain access to more privileged accounts.
After they obtain domain admin credentials, they use Active Directory management tools to roll out their malicious payload to target machines across your network. The code is signed with stolen certificates that make it look more legitimate. And before running their encryption code, the hackers use a "task kill" command on target machines to disable their antivirus. Both of those measures have made antivirus particularly ineffective. Finally, the hackers plant a readme file on the machine that lists their demands.
In The Latest Version They Disable The Network Adapter
In the latest version of the malware that researchers have analyzed, LockerGoga goes further still: It also disables the computer's network adapter to disconnect it from the network, changes the user and admin passwords on the computer, and logs the machine off.
That's a very different approach from typical ransomware that merely encrypts some files on a machine but otherwise leaves it running, says Earl Carter, a researcher at Cisco's Talos division. The degree of disruption is counterproductive even for the hackers, since they're less likely to be paid, he argues. "Everyone is kicked off the system so they can’t even get back to look at the ransom note," he says. "It throws everything into chaos. You’ve just destroyed the operation of the system, so users can’t do anything at all, which is a much more significant impact on the network" than a typical ransomware attack. Full story at WIRED.
Five Things You Can Do About This Right Away:
Bad guys are constantly coming out with new malware versions to evade detection. That’s why we’ve updated our Ransomware Simulated tool “RanSim” to include a new cryptomining scenario!
This new cryptomining scenario simulates a Monero cryptocurrency-mining operation on the local machine. Monero mining is the most popular cryptocurrency mined by real-world malware and takes a lot of CPU and GPU cycles to process the data necessary to generate the currencies.
Try KnowBe4’s NEW Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats.
RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.
Here's how RanSim works:
This is a complementary tool and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!
Don't like to click on redirected buttons? Copy and paste this link into your browser:
https://info.knowbe4.com/ransomware-simulator-tool-1