SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockergoga (Back to overview)

LockerGoga

Actor(s): FIN6


According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

References
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-03DragosJoe Slowik
@techreport{slowik:202003:spyware:412ef8a, author = {Joe Slowik}, title = {{Spyware Stealer Locker Wiper Locker Goga Revisited}}, date = {2020-03}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf}, language = {English}, urldate = {2020-03-18} } Spyware Stealer Locker Wiper Locker Goga Revisited
LockerGoga
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-05-19nrkHenrik Lied, Peter Svaar, Dennis Ravndal, Anders Brekke, Kristine Hirsti
@online{lied:20190519:skreddersydd:e16c8d8, author = {Henrik Lied and Peter Svaar and Dennis Ravndal and Anders Brekke and Kristine Hirsti}, title = {{Skreddersydd dobbeltangrep mot Hydro}}, date = {2019-05-19}, organization = {nrk}, url = {https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202}, language = {Norwegian}, urldate = {2019-11-21} } Skreddersydd dobbeltangrep mot Hydro
LockerGoga
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-04Abuse.ioAbuse.io
@online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } Abuse.io Report - Lockergoga
LockerGoga
2019-04-16Youtube (Norsk Hydro)Norsk Hydro
@online{hydro:20190416:cyber:ada48a4, author = {Norsk Hydro}, title = {{The cyber attack rescue operation in Hydro Toulouse}}, date = {2019-04-16}, organization = {Youtube (Norsk Hydro)}, url = {https://www.youtube.com/watch?v=o6eEN0mUakM}, language = {English}, urldate = {2020-01-13} } The cyber attack rescue operation in Hydro Toulouse
LockerGoga
2019-04-05FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02HelpNetSecurityZeljka Zorz
@online{zorz:20190402:lockergoga:7fe224d, author = {Zeljka Zorz}, title = {{A LockerGoga primer and decrypters for Mira and Aurora ransomwares}}, date = {2019-04-02}, organization = {HelpNetSecurity}, url = {https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/}, language = {English}, urldate = {2019-12-16} } A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga
2019-03-21DoublePulsarKevin Beaumont
@online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga
2019-01-30Bleeping ComputerIonut Ilascu
@online{ilascu:20190130:new:5c2d8da, author = {Ionut Ilascu}, title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}}, date = {2019-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/}, language = {English}, urldate = {2019-12-20} } New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga
Yara Rules
[TLP:WHITE] win_lockergoga_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_lockergoga_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c20400 ff7508 57 e8???????? 8b4df4 64890d00000000 59 }
            // n = 7, score = 400
            //   c20400               | ret                 4
            //   ff7508               | push                dword ptr [ebp + 8]
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx

        $sequence_1 = { 8b4de0 8b45b0 d3e6 03f7 8d0c76 8d04c8 50 }
            // n = 7, score = 400
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   d3e6                 | shl                 esi, cl
            //   03f7                 | add                 esi, edi
            //   8d0c76               | lea                 ecx, [esi + esi*2]
            //   8d04c8               | lea                 eax, [eax + ecx*8]
            //   50                   | push                eax

        $sequence_2 = { 8945d0 8b8568ffffff 89459c 8b8564ffffff 8945a4 8b8560ffffff 8945d4 }
            // n = 7, score = 400
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]
            //   89459c               | mov                 dword ptr [ebp - 0x64], eax
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   8945a4               | mov                 dword ptr [ebp - 0x5c], eax
            //   8b8560ffffff         | mov                 eax, dword ptr [ebp - 0xa0]
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax

        $sequence_3 = { 7403 50 ffd3 6a14 56 e8???????? 8b4d0c }
            // n = 7, score = 400
            //   7403                 | je                  5
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   6a14                 | push                0x14
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_4 = { e8???????? 8b0b 8b7dec 3908 7412 8d4710 8bcb }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8b7dec               | mov                 edi, dword ptr [ebp - 0x14]
            //   3908                 | cmp                 dword ptr [eax], ecx
            //   7412                 | je                  0x14
            //   8d4710               | lea                 eax, [edi + 0x10]
            //   8bcb                 | mov                 ecx, ebx

        $sequence_5 = { ff7508 8d4f10 c7470cffffffff c707???????? c74704???????? e8???????? 8d7738 }
            // n = 7, score = 400
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d4f10               | lea                 ecx, [edi + 0x10]
            //   c7470cffffffff       | mov                 dword ptr [edi + 0xc], 0xffffffff
            //   c707????????         |                     
            //   c74704????????       |                     
            //   e8????????           |                     
            //   8d7738               | lea                 esi, [edi + 0x38]

        $sequence_6 = { a3???????? c3 8d4db0 e9???????? 8d4d98 e9???????? }
            // n = 6, score = 400
            //   a3????????           |                     
            //   c3                   | ret                 
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   e9????????           |                     
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   e9????????           |                     

        $sequence_7 = { e8???????? 83c40c 8d4dd8 e8???????? eb0f 8bcf 3bf2 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   eb0f                 | jmp                 0x11
            //   8bcf                 | mov                 ecx, edi
            //   3bf2                 | cmp                 esi, edx

        $sequence_8 = { 898578ffffff b893244992 8955b0 899560ffffff 898d64ffffff 2bca f7e9 }
            // n = 7, score = 400
            //   898578ffffff         | mov                 dword ptr [ebp - 0x88], eax
            //   b893244992           | mov                 eax, 0x92492493
            //   8955b0               | mov                 dword ptr [ebp - 0x50], edx
            //   899560ffffff         | mov                 dword ptr [ebp - 0xa0], edx
            //   898d64ffffff         | mov                 dword ptr [ebp - 0x9c], ecx
            //   2bca                 | sub                 ecx, edx
            //   f7e9                 | imul                ecx

        $sequence_9 = { 83c502 3be9 0f8560ffffff 8b442410 8928 33c0 3be9 }
            // n = 7, score = 400
            //   83c502               | add                 ebp, 2
            //   3be9                 | cmp                 ebp, ecx
            //   0f8560ffffff         | jne                 0xffffff66
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8928                 | mov                 dword ptr [eax], ebp
            //   33c0                 | xor                 eax, eax
            //   3be9                 | cmp                 ebp, ecx

    condition:
        7 of them and filesize < 2588672
}
[TLP:WHITE] win_lockergoga_w0   (20190320 | Detects LockerGoga ransomware binaries)
rule win_lockergoga_w0 {   
    meta:   
        description = "Detects LockerGoga ransomware binaries"   
        author = "Florian Roth"   
        reference = "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202"   
        license = "https://creativecommons.org/licenses/by-nc/4.0/"   
        date = "2019-03-19"   
        hash1 = "c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15"   
        hash2 = "7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26"   
        hash3 = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"   
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_version = "20190320"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:   
        $x1 = "\\.(doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf)" wide   
        $x2 = "|[A-Za-z]:\\cl.log" wide   
        $x4 = "\\crypto-locker\\" ascii   
        $xc1 = { 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E   
          00 61 00 6D 00 65 00 00 00 00 00 4D 00 6C 00 63   
          00 72 00 6F 00 73 00 6F 00 66 00 74 }   
        $xc2 = { 00 2E 00 6C 00 6F 00 63 00 6B 00 65 00 64 00 00   
          00 20 46 41 49 4C 45 44 20 00 00 00 00 20 00 00   
          00 20 75 6E 6B 6E 6F 77 6E 20 65 78 63 65 70 74   
          69 6F 6E }   
        $rn1 = "This may lead to the impossibility of recovery of the certain files." wide   
    condition:   
        1 of ($x*) or $rn1
}
Download all Yara Rules