Threat Management, Malware, Ransomware, Vulnerability Management

Researchers: LockerGoga coding error can be exploited to prevent malicious encryption

The LockerGoga ransomware that's been targeting industrial and manufacturing companies in early 2019 contains a coding error that could potentially be exploited to stop it from encrypting files, researchers say.

The mistake pertains to how the malware handles .lnk file extensions, explains a March 25 blog post from threat management company Alert Logic, whose researchers discovered the issue.

According to Alert Logic, LockerGoga scans compromised machines to assess what files they are hosting. If LockerGoga identifies any .lnk file extensions, which are used by Microsoft Windows to point to executable files, then the malware attempts to resolve their paths.

However, there two conditions that create an exception that LockerGoga can't handle, causing the operating systems to terminate the ransomware before it can do any damage:

  • the .lnk file is crafted to contain an invalid network path
  • the .lnk file has no Remote Procedure Call (RPC) endpoint

"The malicious file will still exist on the victim machine, but it will be effectively rendered inert, since it cannot effectively execute while the malformed ‘.lnk’ file remains," explains the Alert Logic report.

Therefore, security professionals could intentionally create erroneous .lnk files to foul up LockerGoga's operations should an attack occur. Of course, if an infected machine successfully employs this tactic, that doesn't mean the danger is over, Alert Logic notes. The attackers still found a way to compromise the device in the first place, and presumably LockerGoga's developers will work to fix this flaw.

Indeed, LockerGoga has already gone through a series of updates and variants since emerging on the scene in January 2019.

A new blog post issued today by Palo Alto Networks' Unit 42 threat research team says the company has identified 31 samples of ransomware that are "similar in behavior and code to the initial variant" that was used in an attack against French engineering company Altran Technologies. Additional LockerGoga attacks were later launched against aluminum producer Norsk Hydro and U.S. chemical companies Hexion and MPM Holdings.

In the blog post, threat intelligence analyst Mike Harbison lists some of the key improvements found in ensuing versions of the ransomware, including the added importation of Windows Sockets Library ws2_32.dll and the use of undocumented Windows API calls. Harbison says the addition of such enhancements "indicates a level of sophistication beyond typical ransomware authors. The former could lead to the eventual inclusion of C2 communication or automated propagation, and the latter requires some working knowledge of Windows internals."

"These features raise more questions about the actor’s intent as ransomware is typically one of the least advanced forms of malware:  Are they motivated by profits or something else?" Harbison ponders in the report.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.