Wednesday, March 20, 2019

Ransomware is not dead - a light analysis of LockerGoga



Despite many reports saying that the number of Ransomware samples is on the decrease, we see again and again big multinational companies suffering from these attacks.

Just two days ago, Norway based Norsk Hydro - one of the World's largest Aluminium producers - was hit by a severe Ransomware attack:




The attack is so massive that Hydro had to switch its productions to manual mode:




According to various press releases, the entire worldwide Norsk Hydro network is down, affecting all production as well as office operations.

If you search this incident on Twitter, you will instantly come across the Ransomware LockerGoga:



While it is still unconfirmed that Norsk Hydro was hit by LockerGoga, we saw a high amount of LockerGoga samples being submitted to VirusTotal as well as Joe Sandbox Cloud Basic.

One of the most recent samples (version 1510) has been uploaded to VirusTotal on March 19th (MD5: e11502659f6b5c5bd9f78f534bc38fea):




On Joe Sandbox Cloud Basic just some minutes later:




Joe Sandbox 25.0.0 Analysis Report


LockerGoga is not a standard Ransomware but rather has some specialties. The binary is signed by Sectigo. The certificate has been revoked recently, but it likely was valid at the time of the attack.



LockerGoga first encrypts the following file types:




Encrypted files are renamed to originalfilename.locked:




For encryption, LockerGoga does not use the Windows Crypto API CryptEncrypt, but rather its own implementation (likely CryptoPP + Boost):




The encryption of files is performed in multiple processes. A master process gathers all files and distributes encryption tasks to its slave processes:





The benefit of this architecture is that encryption is much faster since it will use all the CPU cores of the machine.
Normally, for a workstation with many documents, encryption can take hours. If the ransomware is detected fast enough some documents could be rescued.
In contrast, with LockerGoga this won't help since encryption is very performant. So far, we have not seen any other Ransomware using a distributed encryption architecture.


Goga drops the following ransomware notice:




While files are being encrypted the user is logged out:




Users are then no longer able to log in since before it overwrites the user's and administrator's password with HuHuHUHoHo283283@dJD:



This is another interesting and new behavior. While LockerGoga is not as brutal as wiper malware such as OlympicDestroyer it still completely blocks the computer. 

Update 1 (21.03.2019):

The RSA key length is not 4096 bits as claimed but rather only 1024. The key is:

143039027603288081140440460338003642911073612941185913750209355892860079356074645397659790748641553071028708565779813384579543186062779585207306872514980402991186576023338090182468472293119407077024326442940353153639727658986409606114438122318258868786058939554014060009849139714833248267922434391006162377303

Besides the account locking LockerGoga also has the capability to disable the network interface:


However, this feature is no activated in version 1510.


LockerGoga seems to be not new, e.g. searching for PE files signed by Sectigo gives us several older versions, e.g. version 1320, MD5 16bcc3b7f32c41e7c7222bf37fe39fe6, March 8th:






Joe Sandbox 25.0.0 Analysis Report


As this blog post outlines LockerGoga is different from standard ransomware:

  • Signed with a valid certificate
  • Uses a multi-process architecture to encrypt files faster
  • Locks the user and administrator account in addition to file encryption 
  • Is continuously improved (multiple version of the same ransomware exist)

Joe Sandbox nicely detected and analyzed all those different aspects. We also have added generic signatures to detect LockerGoga:




Want to try Joe Sandbox? Register for Free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!