SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockergoga (Back to overview)

LockerGoga

Actor(s): FIN6


According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

References
2021-10-29Національна поліція УкраїниНаціональна поліція України
@online{:20211029:cyberpolice:fc43b20, author = {Національна поліція України}, title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}}, date = {2021-10-29}, organization = {Національна поліція України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-11-02} } Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29EuropolEuropol
@online{europol:20211029:12:5c0fd59, author = {Europol}, title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}}, date = {2021-10-29}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure}, language = {English}, urldate = {2021-11-02} } 12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2020-07-15MandiantNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot}, language = {English}, urldate = {2022-07-28} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-03DragosJoe Slowik
@techreport{slowik:202003:spyware:412ef8a, author = {Joe Slowik}, title = {{Spyware Stealer Locker Wiper Locker Goga Revisited}}, date = {2020-03}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf}, language = {English}, urldate = {2020-03-18} } Spyware Stealer Locker Wiper Locker Goga Revisited
LockerGoga
2020-02-20McAfeeChristiaan Beek, Eamonn Ryan, Darren Fitzpatrick
@online{beek:20200220:csi:8525a7b, author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}}, date = {2020-02-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/}, language = {English}, urldate = {2021-05-13} } CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2019-12-23Bleeping ComputerLawrence Abrams
@online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex
2019-05-19nrkHenrik Lied, Peter Svaar, Dennis Ravndal, Anders Brekke, Kristine Hirsti
@online{lied:20190519:skreddersydd:e16c8d8, author = {Henrik Lied and Peter Svaar and Dennis Ravndal and Anders Brekke and Kristine Hirsti}, title = {{Skreddersydd dobbeltangrep mot Hydro}}, date = {2019-05-19}, organization = {nrk}, url = {https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202}, language = {Norwegian}, urldate = {2019-11-21} } Skreddersydd dobbeltangrep mot Hydro
LockerGoga
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-04Abuse.ioAbuse.io
@online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } Abuse.io Report - Lockergoga
LockerGoga
2019-04-16Youtube (Norsk Hydro)Norsk Hydro
@online{hydro:20190416:cyber:ada48a4, author = {Norsk Hydro}, title = {{The cyber attack rescue operation in Hydro Toulouse}}, date = {2019-04-16}, organization = {Youtube (Norsk Hydro)}, url = {https://www.youtube.com/watch?v=o6eEN0mUakM}, language = {English}, urldate = {2020-01-13} } The cyber attack rescue operation in Hydro Toulouse
LockerGoga
2019-04-05FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02HelpNetSecurityZeljka Zorz
@online{zorz:20190402:lockergoga:7fe224d, author = {Zeljka Zorz}, title = {{A LockerGoga primer and decrypters for Mira and Aurora ransomwares}}, date = {2019-04-02}, organization = {HelpNetSecurity}, url = {https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/}, language = {English}, urldate = {2019-12-16} } A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga
2019-03-21DoublePulsarKevin Beaumont
@online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga
2019-01-30Bleeping ComputerIonut Ilascu
@online{ilascu:20190130:new:5c2d8da, author = {Ionut Ilascu}, title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}}, date = {2019-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/}, language = {English}, urldate = {2019-12-20} } New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga
Yara Rules
[TLP:WHITE] win_lockergoga_auto (20220808 | Detects win.lockergoga.)
rule win_lockergoga_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.lockergoga."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7432 8b413c 3bda 8bf2 0f42f3 034138 56 }
            // n = 7, score = 400
            //   7432                 | je                  0x34
            //   8b413c               | mov                 eax, dword ptr [ecx + 0x3c]
            //   3bda                 | cmp                 ebx, edx
            //   8bf2                 | mov                 esi, edx
            //   0f42f3               | cmovb               esi, ebx
            //   034138               | add                 eax, dword ptr [ecx + 0x38]
            //   56                   | push                esi

        $sequence_1 = { 8b7344 894514 8b07 8b7f04 89450c 85d2 7402 }
            // n = 7, score = 400
            //   8b7344               | mov                 esi, dword ptr [ebx + 0x44]
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b7f04               | mov                 edi, dword ptr [edi + 4]
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax
            //   85d2                 | test                edx, edx
            //   7402                 | je                  4

        $sequence_2 = { 898518ffffff 8d7e18 3bf8 0f848f000000 0f1f8000000000 c645fc12 }
            // n = 6, score = 400
            //   898518ffffff         | mov                 dword ptr [ebp - 0xe8], eax
            //   8d7e18               | lea                 edi, [esi + 0x18]
            //   3bf8                 | cmp                 edi, eax
            //   0f848f000000         | je                  0x95
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   c645fc12             | mov                 byte ptr [ebp - 4], 0x12

        $sequence_3 = { c1f805 3bf8 0f83d5000000 8d45e0 8bcf 50 c1e105 }
            // n = 7, score = 400
            //   c1f805               | sar                 eax, 5
            //   3bf8                 | cmp                 edi, eax
            //   0f83d5000000         | jae                 0xdb
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax
            //   c1e105               | shl                 ecx, 5

        $sequence_4 = { 8bc7 f7f6 a801 0f85e8000000 56 51 53 }
            // n = 7, score = 400
            //   8bc7                 | mov                 eax, edi
            //   f7f6                 | div                 esi
            //   a801                 | test                al, 1
            //   0f85e8000000         | jne                 0xee
            //   56                   | push                esi
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_5 = { 51 8b4e18 e8???????? 3bf8 7415 83781410 8bc8 }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   3bf8                 | cmp                 edi, eax
            //   7415                 | je                  0x17
            //   83781410             | cmp                 dword ptr [eax + 0x14], 0x10
            //   8bc8                 | mov                 ecx, eax

        $sequence_6 = { 03f2 8b45ec f7d8 8945ec eb03 8945f8 8b4328 }
            // n = 7, score = 400
            //   03f2                 | add                 esi, edx
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   f7d8                 | neg                 eax
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   eb03                 | jmp                 5
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4328               | mov                 eax, dword ptr [ebx + 0x28]

        $sequence_7 = { 8b55a4 3955a0 8b75a8 8bfe 0f4255a0 33c0 c645fc03 }
            // n = 7, score = 400
            //   8b55a4               | mov                 edx, dword ptr [ebp - 0x5c]
            //   3955a0               | cmp                 dword ptr [ebp - 0x60], edx
            //   8b75a8               | mov                 esi, dword ptr [ebp - 0x58]
            //   8bfe                 | mov                 edi, esi
            //   0f4255a0             | cmovb               edx, dword ptr [ebp - 0x60]
            //   33c0                 | xor                 eax, eax
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3

        $sequence_8 = { 895324 7599 5f 8bc2 5e 8be5 5d }
            // n = 7, score = 400
            //   895324               | mov                 dword ptr [ebx + 0x24], edx
            //   7599                 | jne                 0xffffff9b
            //   5f                   | pop                 edi
            //   8bc2                 | mov                 eax, edx
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_9 = { eb02 8b10 8b4208 8bce 48 c1e903 23c8 }
            // n = 7, score = 400
            //   eb02                 | jmp                 4
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b4208               | mov                 eax, dword ptr [edx + 8]
            //   8bce                 | mov                 ecx, esi
            //   48                   | dec                 eax
            //   c1e903               | shr                 ecx, 3
            //   23c8                 | and                 ecx, eax

    condition:
        7 of them and filesize < 2588672
}
[TLP:WHITE] win_lockergoga_w0   (20190320 | Detects LockerGoga ransomware binaries)
rule win_lockergoga_w0 {   
    meta:   
        author = "Florian Roth"   
        description = "Detects LockerGoga ransomware binaries"   
        reference = "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202"   
        license = "https://creativecommons.org/licenses/by-nc/4.0/"   
        date = "2019-03-19"   
        hash = "c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15"   
        hash = "7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26"   
        hash = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"   
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_version = "20190320"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:   
        $x1 = "\\.(doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf)" wide   
        $x2 = "|[A-Za-z]:\\cl.log" wide   
        $x4 = "\\crypto-locker\\" ascii   
        $xc1 = { 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E   
          00 61 00 6D 00 65 00 00 00 00 00 4D 00 6C 00 63   
          00 72 00 6F 00 73 00 6F 00 66 00 74 }   
        $xc2 = { 00 2E 00 6C 00 6F 00 63 00 6B 00 65 00 64 00 00   
          00 20 46 41 49 4C 45 44 20 00 00 00 00 20 00 00   
          00 20 75 6E 6B 6E 6F 77 6E 20 65 78 63 65 70 74   
          69 6F 6E }   
        $rn1 = "This may lead to the impossibility of recovery of the certain files." wide   
    condition:   
        1 of ($x*) or $rn1
}
Download all Yara Rules