And since this utilizes a higher level of programming, statically and dynamically analysing the application without source code is more complicated than just reading a straight sequence of Windows APIs. One of the advantages of using these libraries is easier development and implementation since developers only need to work with wrapper functions instead of calling individual native APIs to achieve the same goal. It’s possible to speculate that the attackers may have already been fully aware of the target companies’ security measures, and were therefore confident that their malware would not be intercepted even without any obfuscation.Īnother interesting fact is that the malware uses open-source Boost libraries for its filesystem, and inter-process communication and Crypto++ (Cryptopp) for file encryption. Instead, the binary only goes as far as encoding the RSA public key that is used in its later stages for file encryption. The binary for this particular variant of LockerGoga does not utilize any type of security evasion or obfuscation. We will also show that although it has some unusual techniques, it is not as advanced as one would expect from such high-profile, targeted attacks. These uncertainties aside, in this article we will dive into what we know for certain about the characteristics of LockerGogas as a ransomware. Building on that premise, the fact that the malware’s execution needs administrative rights suggests that the attackers had previously gained high system privileges in an earlier stage of the attack. And shortly thereafter, two American chemical companies were also reported to have been hit by the same malware.Īt the moment, there are very limited details as to how this malware got into their systems, but there seems to be a high possibility that the campaigns were targeted and conducted in a multi-stage scheme. Just two weeks ago, it made headlines again for crippling the operations of the an international manufacturer. The file-encrypting malware’s entrance to the scene began when it was allegedly involved in attacking an engineering consulting firm based in France. This says a lot about the future of ransomware.ĭiscovered early this year, LockerGoga is a new ransomware family that has been detected attacking industrial companies, severely compromising their operations.
But recently, the FortiGuard Labs threat research teams have seen an increasing trend of ransomware attacks targeting critical infrastructures using attacks such as WannaCry, NotPetya, SamSam and now LockerGoga. In the early age of ransomware, these attacks were not primarily used to target critical infrastructure.
0 kommentar(er)
