I wrote a bit last week about Norsk Hydro’s encounter with LockerGoga, a newish form of Ransomware.
DarkReading.com has posted an insightful look at LockerGoga that I found to be rather interesting. The article makes six key revelations regarding the strain of ransomware. I thought I’d offer my own take on them here.
They are as follows:
1. LockerGoga Changes Passwords
According to Vijayan, once LockerGaga infects a system, it changes the user account passwords to “HuhuHUHHoHo283283@dJD.”
By changing the password, LockerGoga complicates any local intervention that an InfoSec pro might be trying to perform to save the endpoint from encryption.
2. End-Users are Forcibly Booted from the System as LockerGoga Takes Hold
I guess the ransomware’s developer is trying to limit the number of countermeasures a system might have in place to defend itself from an attack like this.
However, it’s sort of a silly decision, especially considering the infected end-point can’t display a ransom note to the end-user if they’re not logged in. If anything this makes LockerGoga a bit more destructive than it should be to leverage it as a money-making tactic properly.
3. LockerGoga Does not Leverage the Infected End-Point’s Network
Where more traditional ransomware programs might leverage an infected end-point’s network for things like commands, communication, and/or propagation (more on this next), LockerGoga avoids it altogether.
LockerGoga will actually disable any and all network points it finds on an end-point when installing itself. Security researchers have noticed the addition of some network capabilities in more recent examples of LockerGoga, so this might change shortly.
4. LockeGoga Doesn’t Propagate
Weird, right? But apparently, that’s the case. LockerGoga once installed on an end-point doesn’t do much other than encrypt the files its find there and then wait to be decrypted after somebody pays the ransom.
That’s unusual and not typical behavior from ransomware. According to researchers from Palo Alto Networks, LockerGoga is manually copied from end-point to end-point via server message protocols.
Like I mentioned in No. 3, this might be changing shortly. As of right now though LockerGoga is installed MANUALLY by Bad Actors who might have access to your system.
5. It’s Designed Specifically for Targeted Attacks
As I’ve already established, LockerGoga is a bizarre bit of code. It doesn’t propagate itself, and it doesn’t utilize any form of network interconnectivity that a more highly developed ransomware would.
That could actually be LockerGoga’s secret sauce. By being so radically different from other ransomware, LockerGoga can both evade more traditional machine learning and A.I. countermeasures, especially when leveraged by an attacker who has complete access to their target’s system and has managed to remain undetected.
6. It’s trying to pass itself off as a more well-known/sophisticated ransomware
Simply put, LockerGoga wants people to think it’s CryptoLocker. And at first glance it appears to be similar, all the way down to the ransom note it delivers to an end-user after their system is encrypted.
However, when comparing the two, LockerGoga apparently has some shoddy work behind it, making it both less advanced but more dangerous than CryptoLocker. Some of the bugs found in LockerGoga’s code directly relate to its decryption capabilities, meaning that even after an end-point is decrypted, LockerGoga might strike again because of how unstable it is.
Conclusion
I’m not going to pretend I know more about the situation than anybody else or that I know the motive behind the attackers. However, my hot take on the issue is this:
Whoever developed LockerGoga knows enough about ransomware to be dangerous but not necessarily enough to be successful in its development and deployment. That said, there’s evidence to suggest that whoever’s behind LockerGoga is learning at an alarming pace and there’s a reason to believe any subsequent version of this ransomware will cause chaos 10x the amount that it already has.
Only time will tell.
