By Zach Hilbert — Jun 26, 2024

LockerGoga

What is LockerGoga?

LockerGoga is a recently discovered ransomware that has also made systems irrecoverable in some cases due to how the malware modifies victim computers. FireEye has attributed LockerGoga to the FIN6 attack group. Originally, FireEye found this group compromising payment card information from hospitality and retail industries. Point-of-sale (POS) systems were the original target of FIN6 malware, and the stolen card data was sold in criminal marketplaces. [5]

FireEye reports that LockerGoga and Ryuk ransomware have been tied to intrusions starting in July 2018, "and they have reportedly cost victims tens of millions of dollars." [5]

Associated Individuals

Since the discovery of LockerGoga, a few different theories have surfaced as to who is responsible for these attacks and why. Kryptos Logic wrote about a potential link between Ryuk and LockerGoga. Claims from other researchers attribute Ryuk and Hermes attacks to North Korea, and because LockerGoga has been linked to Ryuk, these researchers concluded that North Korea was responsible. [6][7]

Despite this information, McAfee, Kryptos Logic, and FireEye all state that their research leads to typical cybercriminal group activity. [1][6][7][8] "[Ryuk] ransomware has been available on underground forums for some time, openly accessible to any malicious actor, not just North Korea." [7] Our assessment is that a cybercriminal group is responsible, though there may be more nuanced interactions based on the progression from openly extorting organizations to the attempts to completely deny access to infected machines.

As we will describe below, some instances of LockerGoga modify administrative passwords and disable network interfaces, effectively restricting use of the system to non-administrative users sitting locally at the machine. The intended purpose of these last steps was likely intended to disable the computers completely, which also keeps the user from seeing the ransom note to transfer payment. The caveat to non-administrative access is that Active Directory credentials can be cached on a system, allowing a user to still log in when the domain controller is offline or the computer itself is not connected to a network. This subtlety is not commonly known and may not have been considered when building these steps.

Therefore, the attackers could quite possibly have intended to disable all the infected systems. This type of behavior cannot be directly profitable, though disrupting a countries economy indirectly or disabling a competitor might be incentive enough to target these organizations. If this is true, there is the possibility that a larger actor is behind the criminal group or has simply modified the methodology to suit its own purpose.

Technical Detail

We have confirmed with a Kaspersky researcher; the initial compromise vector was an exploit kit used to distribute a Cobalt Strike payload. The researcher is a co-author of a customer report detailing LockerGoga infections and recalled that Fallout was the exploit kit [The information about the exploit kit still needs to be confirmed]. If Fallout is the exploitation method, Malwarebytes reports distribution through malvertising chains and techniques similar to the ones described in the LockerGoga compromises.

[EDIT 4/15/19]
We have confirmed that the Kaspersky report assesses the Fallout EK was used as an initial vector through a malvertising campaign. They also assess with low confidence that attackers exploit externally facing web servers to gain initial access. [12]

F-Secure describes LockerGoga in technical detail and provides insight into the typical execution of the malware. "The main functionality is inside the 'master' process, it enumerates files on the infected system and executes child processes to encrypt files." [4] The C++ Boost library is used to locate the system's files, rename, and Crypto++ is used to encrypt them. Depending on the version of malware and the researcher's report of technical analysis, accounts of how LockerGoga infects systems and spreads across the network vary.

For the majority of cases, the malware behaves in the same way. Once the first system is infected, files are encrypted and renamed. The local administrative accounts' credentials are changed, network interfaces are disabled, and the account is logged off. [2][3] Newer versions of the LockerGoga ransomware change the "administrator's password by calling: net.exe user admin HuHuHUHoHo283283@dJD." [12]

Attackers move laterally using common attack tools such as mimikatz and Metasploit, as well as Windows system tools like psexec, adfind, PowerShell, and RDP. They also use stolen credentials to access these systems and gain domain admin privileges.

Targets

Hexion
Momentive
Norsk Hydro [2][3]
Altran [10]

References

[1] https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

[2] https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

[3] https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880

[4] https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/

[5] https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf

[6] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/

[7] https://www.kryptoslogic.com/blog/2019/01/north-korean-apt-and-recent-ryuk-ransomware-attacks/

[8] https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

[9] https://motherboard.vice.com/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers

[10] https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/

[11] https://blog.malwarebytes.com/threat-analysis/2019/01/improved-fallout-ek-comes-back-after-short-hiatus/

[12] Kaspkersky_LockerGoga_attacks_-_when_CobaltStrike_meets_ransomware.pdf

https://duo.com/decipher/the-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware

https://twitter.com/campuscodi/status/1111380744461406208

LockerGoga Samples

bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f

c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15

8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29

7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26

Cobalt Strike Beacon config 176.126.85.207 (Kaspersky TLP Amber Report)

Config: 1
BeaconType: 8 (HTTPS)
Port: 443
Polling(ms): 60000
Jitter: 0
Maxdns: 255
C2Server: 176.126.85.207
C2Server URI: /ga.js
UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0)
HTTP_Method2_Path: /submit.php
Header1 component: Cookie
Header2 component: id
PipeName: \%s\pipe\msagent_%x
DNS_idle: 0
DNS_sleep(ms): 0
Method1: GET
Method2: POST
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe
Proxy_AccessType: 2 (IE settings)

Cobalt Strike Beacon config 185.202.174.91 (Kaspersky TLP Amber Report)

Config: 1
BeaconType: 8 (HTTPS)
Port: 443
Polling(ms): 60000
Jitter: 0
Maxdns: 255
C2Server: 185.202.174.91
C2Server URI: /ptj
UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64;
Trident/6.0; MDDCJS)
HTTP_Method2_Path: /submit.php
Header1 component: Cookie
Header2 component: id
PipeName: \%s\pipe\msagent_%x
DNS_idle: 0
DNS_sleep(ms): 0
Method1: GET
Method2: POST
Spawnto_x86: %windir%\syswow64\rundll32.exe
Spawnto_x64: %windir%\sysnative\rundll32.exe
Proxy_AccessType: 2 (IE settings)