The LockerGoga ransomware that’s been targeting industrial and manufacturing companies in early 2019 contains a coding error that could potentially be exploited to stop it from encrypting files, researchers say.

The mistake pertains to how the malware handles .lnk file extensions, explains a March 25 blog post from threat management company Alert Logic, whose researchers discovered the issue.

According to Alert Logic, LockerGoga scans compromised machines to assess what files they are hosting. If LockerGoga identifies any .lnk file extensions, which are used by Microsoft Windows to point to executable files, then the malware attempts to resolve their paths.

However, there two conditions that create an exception that LockerGoga can’t handle, causing the operating systems to terminate the ransomware before it can do any damage:

  • the .lnk file is crafted to contain an invalid network path
  • the .lnk file has no Remote Procedure Call (RPC) endpoint

“The malicious file will still exist on the victim machine, but it will be effectively rendered inert, since it cannot effectively execute while the malformed ‘.lnk’ file remains,” explains the Alert Logic report.

Therefore, security professionals could intentionally create erroneous .lnk files to foul up LockerGoga’s operations should an attack occur. Of course, if an infected machine successfully employs this tactic, that doesn’t mean the danger is over, Alert Logic notes. The attackers still found a way to compromise the device in the first place, and presumably LockerGoga’s developers will work to fix this flaw.

Indeed, LockerGoga has already gone through a series of updates and variants since emerging on the scene in January 2019.

A new blog post issued today by Palo Alto Networks’ Unit 42 threat research team says the company has identified 31 samples of ransomware that are “similar in behavior and code to the initial variant” that was used in an attack against French engineering company Altran Technologies. Additional LockerGoga attacks were later launched against aluminum producer Norsk Hydro and U.S. chemical companies Hexion and MPM Holdings.

In the blog post, threat intelligence analyst Mike Harbison lists some of the key improvements found in ensuing versions of the ransomware, including the added importation of Windows Sockets Library ws2_32.dll and the use of undocumented Windows API calls. Harbison says the addition of such enhancements “indicates a level of sophistication beyond typical ransomware authors. The former could lead to the eventual inclusion of C2 communication or automated propagation, and the latter requires some working knowledge of Windows internals.”

“These features raise more questions about the actor’s intent as ransomware is typically one of the least advanced forms of malware:  Are they motivated by profits or something else?” Harbison ponders in the report.