LockerGoga (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.lockergoga (Back to overview)

LockerGoga

Actor(s): FIN6

VTCollection

According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

References

2021-10-29 ⋅ ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-03-01 ⋅ Dragos ⋅ Joe Slowik
Spyware Stealer Locker Wiper Locker Goga Revisited
LockerGoga

2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex

2020-02-19 ⋅ FireEye ⋅ FireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2019-12-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams
FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex

2019-05-19 ⋅ ⋅ nrk ⋅ Anders Brekke, Dennis Ravndal, Henrik Lied, Kristine Hirsti, Peter Svaar
Skreddersydd dobbeltangrep mot Hydro
LockerGoga

2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot

2019-05-04 ⋅ Abuse.io ⋅ Abuse.io
Abuse.io Report - Lockergoga
LockerGoga

2019-04-16 ⋅ Youtube (Norsk Hydro) ⋅ Norsk Hydro
The cyber attack rescue operation in Hydro Toulouse
LockerGoga

2019-04-05 ⋅ FireEye ⋅ Alex Pennino, Andrew Thompson, Ben Fedore, Brendan McKeague, Douglas Bienstock, Geoff Ackerman, Van Ta
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6

2019-04-02 ⋅ HelpNetSecurity ⋅ Zeljka Zorz
A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga

2019-03-26 ⋅ paloalto Netoworks: Unit42 ⋅ Mike Harbison
Born This Way? Origins of LockerGoga
LockerGoga

2019-03-21 ⋅ DoublePulsar ⋅ Kevin Beaumont
How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga

2019-03-20 ⋅ Cisco Talos ⋅ Nick Biasini
Ransomware or Wiper? LockerGoga Straddles the Line
LockerGoga

2019-01-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu
New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga

Yara Rules

[TLP:WHITE] win_lockergoga_auto (20230808 | Detects win.lockergoga.)

rule win_lockergoga_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lockergoga."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 33c0 897dd4 8b560c 33c9 894514 3bc3 }
            // n = 7, score = 400
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   8b560c               | mov                 edx, dword ptr [esi + 0xc]
            //   33c9                 | xor                 ecx, ecx
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   3bc3                 | cmp                 eax, ebx

        $sequence_1 = { 725e 8b06 8b7e38 8b80e4000000 89459c 3bd7 722c }
            // n = 7, score = 400
            //   725e                 | jb                  0x60
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b7e38               | mov                 edi, dword ptr [esi + 0x38]
            //   8b80e4000000         | mov                 eax, dword ptr [eax + 0xe4]
            //   89459c               | mov                 dword ptr [ebp - 0x64], eax
            //   3bd7                 | cmp                 edx, edi
            //   722c                 | jb                  0x2e

        $sequence_2 = { e8???????? 50 ffb5f0feffff 8d85c0feffff c645fc0c 50 8bcf }
            // n = 7, score = 400
            //   e8????????           |                     
            //   50                   | push                eax
            //   ffb5f0feffff         | push                dword ptr [ebp - 0x110]
            //   8d85c0feffff         | lea                 eax, [ebp - 0x140]
            //   c645fc0c             | mov                 byte ptr [ebp - 4], 0xc
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi

        $sequence_3 = { ff10 8d4b10 e8???????? 6a38 53 e8???????? 83c408 }
            // n = 7, score = 400
            //   ff10                 | call                dword ptr [eax]
            //   8d4b10               | lea                 ecx, [ebx + 0x10]
            //   e8????????           |                     
            //   6a38                 | push                0x38
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_4 = { e8???????? 8d45d8 c645fc04 50 8bcb e8???????? 8b1b }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   50                   | push                eax
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b1b                 | mov                 ebx, dword ptr [ebx]

        $sequence_5 = { e8???????? 8d45c0 c645fc01 50 8bce e8???????? 8bf0 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_6 = { 8b4df0 33cd e8???????? 8be5 5d c3 ff7594 }
            // n = 7, score = 400
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   33cd                 | xor                 ecx, ebp
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff7594               | push                dword ptr [ebp - 0x6c]

        $sequence_7 = { 8b5904 8b7d0c 8975e8 8975ec 8945f0 c745fc00000000 85ff }
            // n = 7, score = 400
            //   8b5904               | mov                 ebx, dword ptr [ecx + 4]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   85ff                 | test                edi, edi

        $sequence_8 = { f30f7e4710 660fd64610 c7471000000000 c747140f000000 c60700 83c718 c745fcffffffff }
            // n = 7, score = 400
            //   f30f7e4710           | movq                xmm0, qword ptr [edi + 0x10]
            //   660fd64610           | movq                qword ptr [esi + 0x10], xmm0
            //   c7471000000000       | mov                 dword ptr [edi + 0x10], 0
            //   c747140f000000       | mov                 dword ptr [edi + 0x14], 0xf
            //   c60700               | mov                 byte ptr [edi], 0
            //   83c718               | add                 edi, 0x18
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff

        $sequence_9 = { e8???????? 8bc8 3bcf 7413 837f1410 8bc7 7202 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   3bcf                 | cmp                 ecx, edi
            //   7413                 | je                  0x15
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   8bc7                 | mov                 eax, edi
            //   7202                 | jb                  4

    condition:
        7 of them and filesize < 2588672
}

[TLP:WHITE] win_lockergoga_w0 (20190320 | Detects LockerGoga ransomware binaries)

rule win_lockergoga_w0 {   
    meta:   
        author = "Florian Roth"   
        description = "Detects LockerGoga ransomware binaries"   
        reference = "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202"   
        license = "https://creativecommons.org/licenses/by-nc/4.0/"   
        date = "2019-03-19"   
        hash = "c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15"   
        hash = "7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26"   
        hash = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"   
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_version = "20190320"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:   
        $x1 = "\\.(doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf)" wide   
        $x2 = "|[A-Za-z]:\\cl.log" wide   
        $x4 = "\\crypto-locker\\" ascii   
        $xc1 = { 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E   
          00 61 00 6D 00 65 00 00 00 00 00 4D 00 6C 00 63   
          00 72 00 6F 00 73 00 6F 00 66 00 74 }   
        $xc2 = { 00 2E 00 6C 00 6F 00 63 00 6B 00 65 00 64 00 00   
          00 20 46 41 49 4C 45 44 20 00 00 00 00 20 00 00   
          00 20 75 6E 6B 6E 6F 77 6E 20 65 78 63 65 70 74   
          69 6F 6E }   
        $rn1 = "This may lead to the impossibility of recovery of the certain files." wide   
    condition:   
        1 of ($x*) or $rn1
}

Download all Yara Rules

LockerGoga Propose Change

References

Yara Rules

LockerGoga