![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Timeline.png\")
<\/p>\nCo-authored by Marc RiveroLopez.<\/p>\n
Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried and true formula of encrypting victims\u2019 files and asking for payment to decrypt them, has gained notoriety for the targets it has affected.<\/p>\n
In this blog, we will look at the findings of the McAfee ATR team following analysis of several different samples. We will describe how this new ransomware works and detail how enterprises can protect themselves from this threat.<\/p>\n
LockerGoga is a ransomware that exhibits some interesting behaviors we want to highlight. Based on our research, and compared with other families, it has a few unique functions and capabilities that are rare compared to other ransomware families that have similar objectives and\/or targeted sectors in their campaigns.<\/p>\n
In order to uncover its capabilities, we analyzed all the samples we found, discovering similarities between them, as well as how the development lifecycle adds or modifies different features in the code to evolve the ransomware in a more professional tool used by the group behind it.<\/p>\n
One of the main differences between LockerGoga and other ransomware families is the ability to spawn different processes in order to accelerate the file encryption in the system:<\/p>\n
<\/p>\n
Like other types of malware, LockerGoga will use all the available CPU resources in the system, as we discovered on our machines:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/CPU-usage.png\")
<\/p>\n
Most of the LockerGoga samples work the same way but we observed how they added and removed certain types of functionality during their development lifecycle.<\/p>\n
The ransomware needs be executed from a privileged account.<\/p>\n
LockerGoga works in a master\/slave configuration. The malware begins its infection on an endpoint by installing a copy of itself on the %TEMP% folder.<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/box1.jpg\")
<\/p>\n
After being copied, it will start a new process with the -m parameter.<\/p>\n
The master process runs with the -m parameter and is responsible for creating the list of files to encrypt and spawning the slaves.<\/p>\n
The slave processes will be executed with a different set of parameters as shown below. Each slave process will encrypt only a small number of files, to avoid heuristic detections available in endpoint security products. The list of files to encrypt is taken from the master process via IPC, an interface used to share data between applications in Microsoft Windows. The communication is done through IPC using a mapped section named SM-<name of binary>.<\/p>\n
Here is the IPC technique used by LockerGoga:<\/p>\n
Sandbox replication of master process screenshot below showing:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Slave-processes.png\")
<\/p>\n
Sandbox replication of slave process (encryption process) below showing:<\/p>\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Filepath-1024x940.png\")
<\/p>\n
The ransomware creates multiple slave processes on the endpoint to encrypt files. Some analysts believe this is the case simply because it speeds up the encryption process, but we are not convinced as the same outcome can be achieved via a multi-threaded approach in the ransomware process instead of a multi-process approach.<\/p>\n
Instead, we suspect this approach is adopted for the following reasons:<\/p>\n
Username Administrator:<\/u><\/strong><\/p>\n Username Tinba:<\/u><\/strong><\/p>\n The author implemented a logging function that can be enabled if you callout the sample in execution using the parameter “-l” to store all the results in a file called ‘log.txt’ in the root C drive:<\/p>\n During execution we enabled the log function and saw how the ransomware encrypts the system, causing high CPU usage and opening the ransom note during the process. This is the aspect in an infected system:<\/p>\n As we executed the sample with the log function, we could access this file to check the status of the encryption. Obviously, this most likely a debug function used by the developer.<\/p>\n In order to know how the ransomware works, and with the help of the log function enabled, we could establish the order of LockerGoga to encrypt the system:<\/p>\n One interesting thing to mention is that, before encrypting any file in the system, the malware will search for files in the trashcan folder as the first option. We are not certain why it takes this unusual step, though it could be because many people do not empty their recycle bins and the ransomware is looking to encrypt even those files that may no longer be required:<\/p>\n LockerGoga will start to enumerate all the folders and files in the system to start the encryption process. This enumeration is done in parallel, so we can expect the process wouldn\u2019t take much time.<\/p>\n After the enumeration the ransomware will create the ransom note for the victim:<\/p>\n The ransom note was created in parallel with the encrypted files, and it is hardcoded inside the sample:<\/p>\n Like other ransomware families, LockerGoga will create the ransom note file to ask the user to pay to recover their encrypted files. We highly recommend not paying under any circumstance so as not to continue funding an underground business model. In case of a ransomware infection, please check https:\/\/www.nomoreransom.org<\/a><\/p>\n Below is an example of the ransom note content on an infected machine:<\/p>\n There was a significant flaw in the security system of your company.<\/em><\/p>\n You should be thankful that the flaw was exploited by serious people and not some rookies.<\/em><\/p>\n They would have damaged all of your data by mistake or for fun.<\/em><\/p>\n <\/p>\n Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.<\/em><\/p>\n Without our special decoder it is impossible to restore the data.<\/em><\/p>\n Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.<\/em><\/p>\n will lead to irreversible destruction of your data.<\/em><\/p>\n <\/p>\n To confirm our honest intentions.<\/em><\/p>\n Send us 2-3 different random files and you will get them decrypted.<\/em><\/p>\n It can be from different computers on your network to be sure that our decoder decrypts everything.<\/em><\/p>\n Sample files we unlock for free (files should not be related to any kind of backups).<\/em><\/p>\n <\/p>\n We exclusively have decryption software for your situation<\/em><\/p>\n <\/p>\n DO NOT RESET OR SHUTDOWN – files may be damaged.<\/em><\/p>\n DO NOT RENAME the encrypted files.<\/em><\/p>\n DO NOT MOVE the encrypted files.<\/em><\/p>\n This may lead to the impossibility of recovery of the certain files.<\/em><\/p>\n <\/p>\n The payment has to be made in Bitcoins.<\/em><\/p>\n The final price depends on how fast you contact us.<\/em><\/p>\n As soon as we receive the payment you will get the decryption tool and<\/em><\/p>\n instructions on how to improve your systems security<\/em><\/p>\n <\/p>\n To get information on the price of the decoder contact us at:<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n In parallel of the ransom note creation, the files will start to be encrypted by LockerGoga with the .locked extension appended to all files. This extension has been broadly used by other ransomware families in the past:<\/p>\n LockerGoga has embedded in the code the file extensions that it will encrypt. Below is an example:<\/p>\n The sample has also configured some locations and files that will be skipped in the encryption process so as not to disrupt the Operating System from running.<\/p>\n All the files encrypted by this ransomware will have a specific FileMarker inside:<\/p>\n Note:<\/u><\/strong> The FileMarker identifies the ransomware family and the most likely version; in this case it is 1440.<\/p>\n During the investigation we identified the following versions:<\/p>\n Based on the binary compile time and the extracted versions, we observed that the actors were creating different versions of LockerGoga for different targets\/campaigns.<\/p>\n After encrypting, LockerGoga executes \u2018cipher.exe\u2019 to remove the free space to prevent file recovery in the infected system. When files are deleted on a system, sometimes they are still available in the free space of a hard disk and can theoretically be recovered.<\/p>\n Samples digitally signed:<\/u><\/strong><\/p>\n During our triage phase we found that some of the LockerGoga samples are digitally signed. We are observing from ATR that the latest ransomware pieces used a lower scale and more focused are released digitally signed:<\/p>\n Digitally signing the malware could help the attackers to bypass some of the security protections in the system.<\/p>\n As part of the infection process, LockerGoga will create a static mutex value in the system, always following the same format:<\/p>\n MX-[a-z]\\w+<\/em><\/p>\n Examples of mutex found:<\/p>\n MX-imtvknqq<\/p>\n MX-tgytutrc<\/p>\n MX-zzbdrimp<\/p>\n Interesting strings found<\/u><\/strong><\/p>\n In our analysis we extracted more strings from the LockerGoga samples, with interesting references to:<\/p>\n E:\\\\crypto-locker\\\\cryptopp\\\\src\\\\rijndael_simd.cpp<\/p>\n E:\\\\crypto-locker\\\\cryptopp\\\\src\\\\sha_simd.cpp<\/p>\n E:\\\\crypto-locker\\\\cryptopp\\\\src\\\\sse_simd.cpp<\/p>\n E:\\\\goga\\\\cryptopp\\\\src\\\\crc_simd.cpp<\/p>\n E:\\\\goga\\\\cryptopp\\\\src\\\\rijndael_simd.cpp<\/p>\n E:\\\\goga\\\\cryptopp\\\\src\\\\sha_simd.cpp<\/p>\n E:\\\\goga\\\\cryptopp\\\\src\\\\sse_simd.cpp<\/p>\n X:\\\\work\\\\Projects\\\\LockerGoga\\\\cl-src-last\\\\cryptopp\\\\src\\\\crc_simd.cpp<\/p>\n X:\\\\work\\\\Projects\\\\LockerGoga\\\\cl-src-last\\\\cryptopp\\\\src\\\\rijndael_simd.cpp<\/p>\n X:\\\\work\\\\Projects\\\\LockerGoga\\\\cl-src-last\\\\cryptopp\\\\src\\\\sha_simd.cpp<\/p>\n X:\\\\work\\\\Projects\\\\LockerGoga\\\\cl-src-last\\\\cryptopp\\\\src\\\\sse_simd.cpp<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n The malware developers usually forget to remove those strings in their samples and we can use them to identify new families or frameworks used in their development.<\/p>\n Spreading methods:<\/u><\/strong><\/p>\n The malware is known to be spread in the local network through remote file copy. To do that, a set of .batch files are copied to the remote machines TEMP folder using simple copy:<\/p>\n The malware will copy itself and the tool PSEXEC.EXE to the same location. Once all the files are copied, the malware will run the .BAT file using the following command:<\/p>\n Each of these .BAT files contain lines to execute the malware on remote machines. They use the following command:<\/p>\n The batch file above attempts to kill several AV products and disable security tools. At the end of the script, the malware copy on the remote machine is executed from<\/p>\n c:\\windows\\temp\\taskhost.exe.<\/p>\n Due to the presence of these batch files and the fact that the malware binary makes no direct reference to them, we believe that the spreading mechanism is executed manually by an attacker or via an unknown binary. The path, username, and passwords are hardcoded in the scripts which indicate the attacker had previous knowledge of the environment.<\/p>\n The following is a list of all the processes and services disabled by the malware:<\/p>\n One batch file found in the infected systems where LockerGoga was executed will stop services and processes regarding critical services in the system and security software:<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/box2.jpg\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/box3.jpg\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Logging.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Infected-system.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Debug-function.png\")
<\/p>\n\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Encryption.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Recycle-bin.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Ransom-note.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Hardcoding.png\")
<\/p>\n\n\n
\n Greetings!<\/em><\/p>\n ![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Locked-extension.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/File-extensions.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/File-marker-1024x337.png\")
<\/p>\n\n
![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Different-versions.png\")
<\/p>\n![\"\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/04\/Free-space.png\")
<\/p>\n\n
\n
\n\n
\n E:\\\\crypto-locker\\\\cryptopp\\\\src\\\\crc_simd.cpp<\/p>\n \n
\n
\n
\n\n
\n net stop BackupExecAgentAccelerator \/y<\/u><\/strong><\/td>\n net stop McAfeeEngineService \/y<\/u><\/strong><\/td>\n<\/tr>\n \n net stop BackupExecAgentBrowser \/y<\/strong><\/td>\n net stop McAfeeFramework \/y<\/td>\n<\/tr>\n \n net stop BackupExecDeviceMediaService \/y<\/strong><\/td>\n net stop McAfeeFrameworkMcAfeeFramework \/y<\/td>\n<\/tr>\n \n net stop BackupExecJobEngine \/y<\/strong><\/td>\n net stop McTaskManager \/y<\/td>\n<\/tr>\n \n net stop BackupExecManagementService \/y<\/strong><\/td>\n net stop mfemms \/y<\/td>\n<\/tr>\n \n net stop BackupExecRPCService \/y<\/strong><\/td>\n net stop mfevtp \/y<\/td>\n<\/tr>\n \n net stop BackupExecVSSProvider \/y<\/strong><\/td>\n net stop MMS \/y<\/td>\n<\/tr>\n \n net stop bedbg \/y<\/strong><\/td>\n net stop mozyprobackup \/y<\/td>\n<\/tr>\n \n net stop DCAgent \/y<\/strong><\/td>\n net stop MsDtsServer \/y<\/td>\n<\/tr>\n \n net stop EPSecurityService \/y<\/strong><\/td>\n net stop MsDtsServer100 \/y<\/td>\n<\/tr>\n \n net stop EPUpdateService \/y<\/strong><\/td>\n net stop MsDtsServer110 \/y<\/td>\n<\/tr>\n \n net stop EraserSvc11710 \/y<\/strong><\/td>\n net stop MSExchangeES \/y<\/td>\n<\/tr>\n \n net stop EsgShKernel \/y<\/strong><\/td>\n net stop MSExchangeIS \/y<\/td>\n<\/tr>\n \n net stop FA_Scheduler \/y<\/strong><\/td>\n net stop MSExchangeMGMT \/y<\/td>\n<\/tr>\n \n net stop IISAdmin \/y<\/strong><\/td>\n net stop MSExchangeMTA \/y<\/td>\n<\/tr>\n \n net stop IMAP4Svc \/y<\/strong><\/td>\n net stop MSExchangeSA \/y<\/td>\n<\/tr>\n \n net stop macmnsvc \/y<\/strong><\/td>\n net stop MSExchangeSRS \/y<\/td>\n<\/tr>\n \n net stop masvc \/y<\/strong><\/td>\n net stop MSOLAP$SQL_2008 \/y<\/td>\n<\/tr>\n \n net stop MBAMService \/y<\/strong><\/td>\n net stop MSOLAP$SYSTEM_BGC \/y<\/td>\n<\/tr>\n \n net stop MBEndpointAgent \/y<\/strong><\/td>\n net stop MSOLAP$TPS \/y<\/td>\n<\/tr>\n \n net stop McShield \/y<\/strong><\/td>\n net stop MSSQLFDLauncher$TPS \/y<\/td>\n<\/tr>\n \n net stop MSOLAP$TPSAMA \/y<\/strong><\/td>\n net stop MSSQLFDLauncher$TPSAMA \/y<\/td>\n<\/tr>\n \n net stop MSSQL$BKUPEXEC \/y<\/strong><\/td>\n net stop MSSQLSERVER \/y<\/td>\n<\/tr>\n \n net stop MSSQL$ECWDB2 \/y<\/strong><\/td>\n net stop MSSQLServerADHelper100 \/y<\/td>\n<\/tr>\n \n net stop MSSQL$PRACTICEMGT \/y<\/strong><\/td>\n net stop MSSQLServerOLAPService \/y<\/td>\n<\/tr>\n \n net stop MSSQL$PRACTTICEBGC \/y<\/strong><\/td>\n net stop MySQL57 \/y<\/td>\n<\/tr>\n \n net stop MSSQL$PROFXENGAGEMENT \/y<\/strong><\/td>\n net stop ntrtscan \/y<\/td>\n<\/tr>\n \n net stop MSSQL$SBSMONITORING \/y<\/strong><\/td>\n net stop OracleClientCache80 \/y<\/td>\n<\/tr>\n \n net stop MSSQL$SHAREPOINT \/y<\/strong><\/td>\n net stop PDVFSService \/y<\/td>\n<\/tr>\n \n net stop MSSQL$SQL_2008 \/y<\/strong><\/td>\n net stop POP3Svc \/y<\/td>\n<\/tr>\n \n net stop MSSQL$SYSTEM_BGC \/y<\/strong><\/td>\n net stop ReportServer \/y<\/td>\n<\/tr>\n \n net stop MSSQL$TPS \/y<\/strong><\/td>\n net stop ReportServer$SQL_2008 \/y<\/td>\n<\/tr>\n \n net stop MSSQL$TPSAMA \/y<\/strong><\/td>\n net stop ReportServer$SYSTEM_BGC \/y<\/td>\n<\/tr>\n \n net stop MSSQL$VEEAMSQL2008R2 \/y<\/strong><\/td>\n net stop ReportServer$TPS \/y<\/td>\n<\/tr>\n \n net stop MSSQL$VEEAMSQL2012 \/y<\/strong><\/td>\n net stop ReportServer$TPSAMA \/y<\/td>\n<\/tr>\n \n net stop MSSQLFDLauncher \/y<\/strong><\/td>\n net stop RESvc \/y<\/td>\n<\/tr>\n \n net stop MSSQLFDLauncher$PROFXENGAGEMENT \/y<\/strong><\/td>\n net stop sacsvr \/y<\/td>\n<\/tr>\n \n net stop MSSQLFDLauncher$SBSMONITORING \/y net stop MSSQLFDLauncher$SHAREPOINT \/y<\/strong><\/td>\n net stop SamSs \/y<\/td>\n<\/tr>\n \n net stop MSSQLFDLauncher$SQL_2008 \/y<\/strong><\/td>\n net stop SAVAdminService \/y<\/td>\n<\/tr>\n \n net stop MSSQLFDLauncher$SYSTEM_BGC \/y<\/strong><\/td>\n net stop SAVService \/y<\/td>\n<\/tr>\n \n net stop MSOLAP$TPSAMA \/y<\/strong><\/td>\n net stop MSSQLFDLauncher$TPS \/y<\/td>\n<\/tr>\n \n net stop MSSQL$BKUPEXEC \/y<\/strong><\/td>\n net stop MSSQLFDLauncher$TPSAMA \/y<\/td>\n<\/tr>\n \n net stop SDRSVC \/y<\/strong><\/td>\n net stop SQLSafeOLRService \/y<\/td>\n<\/tr>\n \n net stop SepMasterService \/y<\/strong><\/td>\n net stop SQLSERVERAGENT \/y<\/td>\n<\/tr>\n \n net stop ShMonitor \/y<\/strong><\/td>\n net stop SQLTELEMETRY \/y<\/td>\n<\/tr>\n \n net stop Smcinst \/y<\/strong><\/td>\n net stop SQLTELEMETRY$ECWDB2 \/y<\/td>\n<\/tr>\n \n net stop SmcService \/y<\/strong><\/td>\n net stop SQLWriter \/y<\/td>\n<\/tr>\n \n net stop SMTPSvc \/y<\/strong><\/td>\n net stop SstpSvc \/y<\/td>\n<\/tr>\n \n net stop SNAC \/y<\/strong><\/td>\n net stop svcGenericHost \/y<\/td>\n<\/tr>\n \n net stop SntpService \/y<\/strong><\/td>\n net stop swi_filter \/y<\/td>\n<\/tr>\n \n net stop sophossps \/y<\/strong><\/td>\n net stop swi_service \/y<\/td>\n<\/tr>\n \n