Investigation Into LockerGoga Ransomware Finds Flaws in the Code

LockerGoga is ransomware that has recently affected some high-profile industrial manufacturers like Norse Hydro, Hexicon and Momentive.

Preliminary analysis of it shows it has, in its current forms, limited ability to spread in a network. Some analysts think that it spreads within a company by leveraging Active Directory. Some think that it may use the server message block (SMB) protocol, which would mean that the ransomware manually copies files from computer to computer. But Palo Alto Networks has found 31 variants of the code thus far, so there is always the possibility that other means may be employed.

The malware seems to be more sophisticated than other ransomware due to its use of undocumented Windows API calls.

But it's not perfect.

Alert Logic found some rather interesting characteristics about the malware that it posted on its blog. They admit that they are not sure if what they found is true for all the variants in the wild, but is certainly worth consideration.

They found that, "Once the ransomware becomes resident on the victim host, it performs an initial reconnaissance scan to gather file lists before it executes its encryption routine. One type of file it may come across is the '.lnk' file extension -- a shortcut used in Windows to link files. When it encounters a '.lnk' file it will utilize the built-in shell32 / linkinfo DLLs to resolve the '.lnk' path. However, if this '.lnk' path has one of a series of errors in it, then it will raise an exception—an exception which the malware does not handle." This causes direct effects. Namely, if the malware does not handle an exception, it will be terminated by the operating system. That is standard behavior.

That means that in this case the malware stops before it encrypts, since the file review process is done first. The malware file will still be present on the victim machine, but it will be inert.

Alert Logic found a .lnk file will stop the malware if it is resident in the "Recent Items" folder and if it has been crafted to contain an invalid network path. Also, the ".lnk" file should have no associated RPC endpoint.

So, creating a malformed .lnk path can inoculate against some of the variants of this ransomware. It won't protect against whatever method was used by the ransomware to gain a foothold on the system, so that must also be performed.

Cisco Talos found that some of the newer variants of the malware will forcibly log the victim off from the infected system as well as remove their ability to log back in following the encryption process. They cannot then attempt to comply with any ransom demands. This variant should be considered destructive.

It can only be hoped that the threat actors do not learn from their mistake and come up with a way to perform exception handling in a newer version. But for the moment, this is a way to put up roadblocks in the ransomware's path.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.