LockerGoga (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.lockergoga (Back to overview)

LockerGoga

Actor(s): FIN6

VTCollection

According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

References

2021-10-29 ⋅ ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-03-01 ⋅ Dragos ⋅ Joe Slowik
Spyware Stealer Locker Wiper Locker Goga Revisited
LockerGoga

2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex

2020-02-19 ⋅ FireEye ⋅ FireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2019-12-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams
FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex

2019-05-19 ⋅ ⋅ nrk ⋅ Anders Brekke, Dennis Ravndal, Henrik Lied, Kristine Hirsti, Peter Svaar
Skreddersydd dobbeltangrep mot Hydro
LockerGoga

2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot

2019-05-04 ⋅ Abuse.io ⋅ Abuse.io
Abuse.io Report - Lockergoga
LockerGoga

2019-04-16 ⋅ Youtube (Norsk Hydro) ⋅ Norsk Hydro
The cyber attack rescue operation in Hydro Toulouse
LockerGoga

2019-04-05 ⋅ FireEye ⋅ Alex Pennino, Andrew Thompson, Ben Fedore, Brendan McKeague, Douglas Bienstock, Geoff Ackerman, Van Ta
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6

2019-04-02 ⋅ HelpNetSecurity ⋅ Zeljka Zorz
A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga

2019-03-26 ⋅ paloalto Netoworks: Unit42 ⋅ Mike Harbison
Born This Way? Origins of LockerGoga
LockerGoga

2019-03-21 ⋅ DoublePulsar ⋅ Kevin Beaumont
How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga

2019-03-20 ⋅ Cisco Talos ⋅ Nick Biasini
Ransomware or Wiper? LockerGoga Straddles the Line
LockerGoga

2019-01-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu
New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga

Yara Rules

[TLP:WHITE] win_lockergoga_auto (20241030 | Detects win.lockergoga.)

rule win_lockergoga_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.lockergoga."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? e9???????? c16d0c1f 8bc1 99 8bc8 c745d40f000000 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   e9????????           |                     
            //   c16d0c1f             | shr                 dword ptr [ebp + 0xc], 0x1f
            //   8bc1                 | mov                 eax, ecx
            //   99                   | cdq                 
            //   8bc8                 | mov                 ecx, eax
            //   c745d40f000000       | mov                 dword ptr [ebp - 0x2c], 0xf

        $sequence_1 = { 6a01 895dec e8???????? 8d4b08 c703???????? c6411900 c74120ffffffff }
            // n = 7, score = 400
            //   6a01                 | push                1
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   e8????????           |                     
            //   8d4b08               | lea                 ecx, [ebx + 8]
            //   c703????????         |                     
            //   c6411900             | mov                 byte ptr [ecx + 0x19], 0
            //   c74120ffffffff       | mov                 dword ptr [ecx + 0x20], 0xffffffff

        $sequence_2 = { e8???????? 8be5 5d c20c00 ffb51cffffff 8bcf e8???????? }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   ffb51cffffff         | push                dword ptr [ebp - 0xe4]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_3 = { ff10 8b4e3c 83f910 722c 8b4628 41 81f900100000 }
            // n = 7, score = 400
            //   ff10                 | call                dword ptr [eax]
            //   8b4e3c               | mov                 ecx, dword ptr [esi + 0x3c]
            //   83f910               | cmp                 ecx, 0x10
            //   722c                 | jb                  0x2e
            //   8b4628               | mov                 eax, dword ptr [esi + 0x28]
            //   41                   | inc                 ecx
            //   81f900100000         | cmp                 ecx, 0x1000

        $sequence_4 = { 8d45f4 64a300000000 8bf1 8b06 ff90a4000000 85c0 7423 }
            // n = 7, score = 400
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8bf1                 | mov                 esi, ecx
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ff90a4000000         | call                dword ptr [eax + 0xa4]
            //   85c0                 | test                eax, eax
            //   7423                 | je                  0x25

        $sequence_5 = { f7ea 035584 c1fa05 8bc2 c1e81f 03c2 7458 }
            // n = 7, score = 400
            //   f7ea                 | imul                edx
            //   035584               | add                 edx, dword ptr [ebp - 0x7c]
            //   c1fa05               | sar                 edx, 5
            //   8bc2                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx
            //   7458                 | je                  0x5a

        $sequence_6 = { eb0f 57 8d4dc8 e8???????? 8b45cc 8945f0 807d0700 }
            // n = 7, score = 400
            //   eb0f                 | jmp                 0x11
            //   57                   | push                edi
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   e8????????           |                     
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   807d0700             | cmp                 byte ptr [ebp + 7], 0

        $sequence_7 = { 8b4830 85c9 7409 8b11 83c028 50 ff521c }
            // n = 7, score = 400
            //   8b4830               | mov                 ecx, dword ptr [eax + 0x30]
            //   85c9                 | test                ecx, ecx
            //   7409                 | je                  0xb
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   83c028               | add                 eax, 0x28
            //   50                   | push                eax
            //   ff521c               | call                dword ptr [edx + 0x1c]

        $sequence_8 = { e8???????? 807e1000 7562 8b4e04 8bc7 8a10 3a11 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   807e1000             | cmp                 byte ptr [esi + 0x10], 0
            //   7562                 | jne                 0x64
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8bc7                 | mov                 eax, edi
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   3a11                 | cmp                 dl, byte ptr [ecx]

        $sequence_9 = { e8???????? 8d4dbc e8???????? 8d8d2cffffff e8???????? 8b4df4 64890d00000000 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   e8????????           |                     
            //   8d8d2cffffff         | lea                 ecx, [ebp - 0xd4]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

    condition:
        7 of them and filesize < 2588672
}

[TLP:WHITE] win_lockergoga_w0 (20190320 | Detects LockerGoga ransomware binaries)

rule win_lockergoga_w0 {   
    meta:   
        author = "Florian Roth"   
        description = "Detects LockerGoga ransomware binaries"   
        reference = "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202"   
        license = "https://creativecommons.org/licenses/by-nc/4.0/"   
        date = "2019-03-19"   
        hash = "c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15"   
        hash = "7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26"   
        hash = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f"   
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga"
        malpedia_version = "20190320"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:   
        $x1 = "\\.(doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf)" wide   
        $x2 = "|[A-Za-z]:\\cl.log" wide   
        $x4 = "\\crypto-locker\\" ascii   
        $xc1 = { 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E   
          00 61 00 6D 00 65 00 00 00 00 00 4D 00 6C 00 63   
          00 72 00 6F 00 73 00 6F 00 66 00 74 }   
        $xc2 = { 00 2E 00 6C 00 6F 00 63 00 6B 00 65 00 64 00 00   
          00 20 46 41 49 4C 45 44 20 00 00 00 00 20 00 00   
          00 20 75 6E 6B 6E 6F 77 6E 20 65 78 63 65 70 74   
          69 6F 6E }   
        $rn1 = "This may lead to the impossibility of recovery of the certain files." wide   
    condition:   
        1 of ($x*) or $rn1
}

Download all Yara Rules

LockerGoga Propose Change

References

Yara Rules

LockerGoga