This post is also available in: 日本語 (Japanese)
This Unit 42 blog provides insights into the ransomware attacks referred to as LockerGoga.
The LockerGoga ransomware was first publicly reported in January by Bleeping Computer, which tied the malware to an attack against French engineering company Altran Technologies. Several variants have since been found in the wild, where they were used in attacks against Norwegian aluminum manufacturer Norsk Hydro and two chemical companies: Hexion and Momentive. Unit 42 reviewed malware samples from these attacks and found evidence that caused us to question the origin of the threat name. “LockerGoga” was taken from a string that did not exist anywhere in the code used in the original attack on Altran. Bleeping Computer reported that the name came from this source code path discovered by MalwareHunterTeam:
X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\rijndael_simd.cpp for SHA256 bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
We were able to find this string referenced in earlier ransomware variants identified as Ransom.GoGalocker by Symantec, but not in the sample identified in Bleeping Computer’s report. To avoid confusion, we will continue to use the LockerGoga name to refence the initial variant and its predecessors. Palo Alto Networks has identified 31 ransomware samples that are similar in behavior and code to the initial variant. In this report we will attempt to trace back to the origin of these samples, discuss their evolution, then expose some of their inner working capabilities and even faults.
First LockerGoga Sample
The earliest known sample of LockerGoga (SHA256: bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f) we found was submitted to VirusTotal on January 24. We believe this sample was used in the attack on Altran. We do not know how the ransomware infected Altran’s networks or propagated once there.
Propagation
Currently LockerGoga does not support any worm-like capabilities that would allow it to self-propagate by infecting additional hosts on a target network. We have observed LockerGoga moving around a network via the server message block (SMB) protocol, which indicates the actors simply manually copy files from computer to computer.
LockerGoga Characteristics
This sample requires administrative privileges in order to successfully execute, though the specific mechanism for initial code execution is unknown. Once it executes it seeks to encrypt files on the infected computer and any attached hard drives. Once it’s fully executed, it leaves a ransom note on the user’s desktop containing an email address to contact presumably for decryption and payment options.
The initial sample was written in the C++ programming language and employs publicly available libraries such as Boost, Cryptopp and regex. This sample includes a denylist that excludes the following files and directories from encryption:
- readme-now.txt
- files starting with ntsuser or usrclass
- File extensions: .dll, .lnk, .sys, .locked
- Microsoft\Windows\burn
- dat
- log
The malware does not support any self-propagating code to infect other hosts on the network and is signed by a certificate issued in the name MIKL LIMITED, which has been revoked. The following command line arguments are also supported:
Command Line | Description |
-w | Work: This is the default command line parameter and encrypts all files on the host. It also wipes all free space by creating the following file c:\wipe and filling it with random data the size of the free space available on the drive. The file is then deleted. This parameter can also be used to encrypt a single file i.e. -w filename.exe |
-r | Dry Run: Does not encrypt any files on the host. |
-l | Log: Creates a log file off the root drive named cl.log. |
-f | File: Used to encrypt a single file. |
Table 1. Supported command line arguments
Encryption
LockerGoga uses the Cryptopp library to implement RSA, as implementing RSA from scratch would be very time consuming and error prone. To encrypt files, (Strong RSA) RSA-OAEP MGF1(SHA-1) is used. The RSA public key found in this sample is:
00000000 4D 49 47 64 4D 41 30 47 43 53 71 47 53 49 62 33 MIGdMA0GCSqGSIb3
00000016 44 51 45 42 41 51 55 41 41 34 47 4C 41 44 43 42 DQEBAQUAA4GLADCB 00000032 68 77 4B 42 67 51 43 46 66 33 43 54 59 79 41 79 hwKBgQCFf3CTYyAy 00000048 6F 79 5A 71 52 33 6E 48 63 4C 4A 2B 49 2F 71 69 oyZqR3nHcLJ+I/qi 00000064 2F 50 57 77 57 54 75 6C 20 6C 4D 69 4E 32 54 47 /PWwWTul lMiN2TG 00000080 4D 41 4D 62 34 39 75 58 51 32 79 43 34 4D 5A 76 MAMb49uXQ2yC4MZv 00000096 5A 76 4B 53 50 55 44 6F 33 61 4D 67 5A 4A 71 30 ZvKSPUDo3aMgZJq0 00000112 78 75 52 53 42 34 58 6F 73 6D 73 30 5A 39 51 4B xuRSB4Xosms0Z9QK 00000128 70 76 47 6C 6A 4E 48 36 79 34 50 59 4E 39 38 2F pvGljNH6y4PYN98/ 00000144 76 20 79 31 7A 4F 6B 34 70 45 69 53 68 43 32 49 v y1zOk4pEiShC2I 00000160 47 46 50 4A 32 47 71 33 4F 63 2B 41 78 4F 37 57 GFPJ2Gq3Oc+AxO7W 00000176 6F 2F 62 42 76 35 34 32 52 51 30 67 50 55 77 7A o/bBv542RQ0gPUwz 00000192 79 54 53 66 71 6A 44 47 35 33 35 73 38 57 73 76 yTSfqjDG535s8Wsv 00000208 4B 73 79 77 49 42 45 51 3D 3D KsywIBEQ== |
Table 2. RSA Public key found in initial LockerGoga sample
Although RSA-OAEP MGF1 has features that make it more secure, the added computational overhead causes encryption to take longer and has difficulty handling large files. To mitigate this, the developers launch multiple child processes that work in parallel to maximize encryption speed. To overcome large files, the developers decided to encrypt chunks of a file every 80,000 bytes and skip the next 80,000 bytes of a file. Example:
Figure 1. Data encrypted in 80,000 byte chunks
Because of this, partial recovery of large files might be possible even without the decryption key.
Although the developers attempt to use a denylist of files and directories to skip, it was observed encrypting core Windows operating system files, which caused the operating system to become unstable and crash. This was observed when running the ransomware on a Windows 2012 machine.
Early Development
Based on our analysis, we believe this variant is an early release of LockerGoga ransomware. The developers left behind command line parameters such as -r which allows the malware to run without encrypting anything. This can be used in conjunction with -l (log) to test how the ransomware behaves. Both of these parameters are suggestive of an initial, or test, build. The -r specifically was not observed in later variants.
According to the Bleeping Computer report, the ransomware appeared to encrypt only the following specific file extensions: doc|dot|wbk|docx|dotx|docb|xlm|xlsx|xltx|xlsb|xlw|ppt|pot|pps|pptx|potx|ppsx|sldx|pdf.
Our analysis found that the malware does not use the code block that checks for specific file extensions. Instead, we observed that the malware encrypts all files except those in the denylist. It also has issues with large files, which is addressed in later variants.
Development Cycle
Like other active software projects, the LockerGoga ransomware is under constant development with new variants being developed and used to attack victims. All these variants share similar characteristics and just like other professional development, each release contains improvements or new capabilities.
To counter this ongoing development cycle, security researchers have to focus on identifying new variants.
To that end, we highlight some of the evolutionary changes we have observed since the malware surfaced in January:
- Dropped the -r and -f command line arguments
- Log file renamed from cl.log to .log
- Ransomware note is no longer encoded in the binary
- Ransomware note renamed from README_NOW.txt to README_LOCKED.TXT
- Added the following command line parameters:
Parameter | Description |
-i | Inter process communication (IPC) |
-s | Slave (child process) |
-m | Master Process |
- Began using mutexes (example: SM-zzbdrimp) to identify processes for inter-process communication.
- Stopped using svch0st[numeric value].exe as a process name and began using distinct hard-coded names for each sample.
- Uses undocumented Windows API calls (for example NtQuerySection)
- Changes administrator password to HuHuHUHoHo283283@dJD
- Stopped creating a wipe file to erase free space and instead uses Windows cipher.exe with command parameter /w to wipe free space on the host
- Added importation of WS2_32.dll, possibly to support network communications
- Changed the format and collection of data recorded in the log file
- Updated encryption of files and directories. No longer encrypts all files on the host: instead targets specific file extensions and directories
- Calls into Windows Restart Manager session for possible token elevation to overwrite trusted installer files
- Uses the following digital signers:
- ALISA LTD
- KITTY'S LTD
- MIKL LIMITED
- Logs off the current user
- The inclusion of the word “Goga” in the binary and encrypted files
Conclusion
LockerGoga’s developers continue to add capabilities and launch new attacks. The addition of WS2_32.dll and use of undocumented Windows API calls indicates a level of sophistication beyond typical ransomware authors. The former could lead to the eventual inclusion of C2 communication or automated propagation, and the latter requires some working knowledge of Windows internals.
These features raise more questions about the actor’s intent as ransomware is typically one of the least advanced forms of malware: Are they motivated by profits or something else? Has the motive change over time? Why would developers put such effort into their work only to partially encrypt files. Why do they include an email address and not seek payment through more frequently used cryptocurrencies?
We do not know if any of the victims have paid the ransom and were able to successfully retrieve their data. We do know that this ransomware has caused significant harm. The damage could increase significantly if the attackers continue to refine this ransomware. Unit 42 will continue to monitor LockerGoga and report on new activity.
WildFire properly identifies all of the malware samples listed in this report as malicious. Traps prevents execution of LockerGoga samples and AutoFocus customers can view LockerGoga samples using the LockerGoga tag.
Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.
Indicators of Compromise
LockerGoga Samples
ae7e9839b7fb750128147a9227d3733dde2faacd13c478e8f4d8d6c6c2fc1a55
f474a8c0f66dee3d504fff1e49342ee70dd6f402c3fa0687b15ea9d0dd15613a
ffab69deafa647e2b54d8daf8c740b559a7982c3c7c1506ac6efc8de30c37fd5
c1670e190409619b5a541706976e5a649bef75c75b4b82caf00e9d85afc91881
65d5dd067e5550867b532f4e52af47b320bd31bc906d7bf5db889d0ff3f73041
31fdce53ee34dbc8e7a9f57b30a0fbb416ab1b3e0c145edd28b65bd6794047c1
32d959169ab8ad7e9d4bd046cdb585036c71380d9c45e7bb9513935cd1e225b5
e00a36f4295bb3ba17d36d75ee27f7d2c20646b6e0352e6d765b7ac738ebe5ee
6d8f1a20dc0b67eb1c3393c6c7fc859f99a12abbca9c45dcbc0efd4dc712fb7c
79c11575f0495a3daaf93392bc8134c652360c5561e6f32d002209bc41471a07
050b4028b76cd907aabce3d07ebd9f38e56c48c991378d1c65442f9f5628aa9e
1f9b5fa30fd8835815270f7951f624698529332931725c1e17c41fd3dd040afe
276104ba67006897630a7bdaa22343944983d9397a538504935f2ec7ac10b534
88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f
c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
06e3924a863f12f57e903ae565052271740c4096bd4b47c38a9604951383bcd1
a845c34b0f675827444d6c502c0c461ed4445a00d83b31d5769646b88d7bbedf
7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f
eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125
14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca
47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4
f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192
9128e1c56463b3ce7d4578ef14ccdfdba15ccc2d73545cb541ea3e80344b173c
c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a
6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77
8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c
c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4
Appendix
The latest variant of LockerGoga uses memory mapped files to communicate between processes. To illustrate this, we captured the memory of a section created by a child process.
00000000 02 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
00000016 D0 02 01 00 CC 02 01 00 C8 02 01 00 30 00 00 00 Ð Ì È 0 00000032 80 02 01 00 F8 FF 0F 00 00 00 00 00 00 00 00 00 € øÿ 00000048 FF FF FF FF 00 00 00 00 01 00 00 00 24 00 00 00 ÿÿÿÿ $ 00000064 20 00 00 00 1C 00 00 00 00 00 00 00 01 00 00 00 00000080 FC FF FF FF F8 FF FF FF F4 FF 01 00 0B 20 00 C0 üÿÿÿøÿÿÿôÿ À 00000096 DE FF FF FF 01 00 00 00 01 00 00 00 38 00 01 00 Þÿÿÿ 8 00000112 01 00 04 21 10 01 00 00 00 00 00 00 00 7A 70 63 ! zpc 00000128 55 48 4A 76 5A 33 4A 68 62 53 42 47 61 57 78 6C UHJvZ3JhbSBGaWxl 00000144 63 31 78 57 54 58 64 68 63 6D 56 63 56 6B 31 33 c1xWTXdhcmVcVk13 00000160 59 58 4A 6C 49 46 52 76 62 32 78 7A 58 47 64 73 YXJlIFRvb2xzXGds 00000176 61 57 49 74 4D 69 34 77 4C 6D 52 73 62 41 3D 3D aWItMi4wLmRsbA== 00000192 64 48 42 6A 63 48 4D 75 5A 47 78 73 63 6D 56 7A dHBjcHMuZGxscmVz 00000208 65 43 35 6B 62 47 77 75 62 58 56 70 4E 46 39 66 eC5kbGwubXVpNF9f 00000224 4F 48 64 6C 61 33 6C 69 4D 32 51 34 59 6D 4A 33 OHdla3liM2Q4YmJ3 00000240 5A 54 68 68 5A 44 46 68 4E 7A 51 77 4C 54 52 68 ZThhZDFhNzQwLTRh 00000256 4E 32 59 74 4E 47 45 78 59 53 30 35 4F 54 45 78 N2YtNGExYS05OTEx 00000272 4C 54 51 79 4D 57 51 30 4D 6A 49 34 4D 7A 52 6C LTQyMWQ0MjI4MzRl 00000288 5A 46 78 42 63 33 4E 6C 64 48 4E 63 55 6D 56 7A ZFxBc3NldHNcUmVz 00000304 62 33 56 79 59 32 56 7A 58 46 4A 6C 63 58 56 70 b3VyY2VzXFJlcXVp 00000320 63 6D 56 6B 55 48 4A 70 62 6E 52 44 59 58 42 68 cmVkUHJpbnRDYXBh 00000336 59 6D 6C 73 61 58 52 70 5A 58 4D 75 65 47 31 73 YmlsaXRpZXMueG1s 00000352 65 6D 55 74 4E 44 68 66 59 57 78 30 5A 6D 39 79 emUtNDhfYWx0Zm9y 00000368 62 53 31 31 62 6E 42 73 59 58 52 6C 5A 43 35 77 bS11bnBsYXRlZC5w 00000384 62 6D 63 3D 62 53 31 31 62 6E 42 73 59 58 52 6C bmc=bS11bnBsYXRl 00000400 5A 43 35 77 62 6D 63 3D 00 00 00 00 00 00 00 00 ZC5wbmc= |
Table 3. Child process mapped file
The 1st byte (02) instructs the master process to process the data below. The data is base64 encoded in three parts and decodes to the following:
Part 1:
Unknown value
Part 2:
tpcps.dllresx.dll.mui4__8wekyb3d8bbwe8ad1a740-4a7f-4a1a-9911-421d422834ed\Assets\Resources\RequiredPrintCapabilities.xmlze-48_altform-unplated.png
Part 3:
m-unplated.png
Example of initial variant of LockerGoga running on a host:
Figure 2. Initial LockerGoga running
Initial LockerGoga Ransom Note:
Greetings!
There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.
To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files.
To get information on the price of the decoder contact us at: [email protected];[email protected] The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security |
Figure 3. Initial LockerGoga ransom note
Latest LockerGoga Ransom Note:
Greetings!
There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data.
To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files.
The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security
To get information on the price of the decoder contact us at:
|
Figure 4. Latest LockerGoga ransom note