The French-based engineering research and consulting firm “Altran Technologies ” was hit by a ransomware on the 24th of January. The attack spread through their network, including offices located in other countries, because of the opened network connections and shared folders mounted on the attacked systems. Altran took immediate actions, shutting down its entire network and “mobilizing leading global third-party technical experts and forensics”, according to their statement.
Soon after, security researchers have come to the conclusion that the malware used in the attack was the ransomware LockerGoga. MalwareHunterTeam researchers found this name in the path used for compiling the source code. The first sample was uploaded to VirusTotal from Romania, and “Goga” is a Romanian name, which raises the question if the malware was developed in Romania. The ransomware is also digitally signed, initially with a valid certificate issued to an IT consulting firm located in the UK, named MIKL Limited. The certificate was later revoked, but the efforts to avoid detection and not raise suspicions are certainly visible.
LockerGoga ransomware test facts
Upon execution in our test environment, the malware spawned as many processes as the number of attacked files, named very similarly to some Windows executables, like “svch0st” or “svchub”. Each of them encrypts one file so that the entire process takes some time (but not that much, we have seen much slower ransomware). It supports arguments, and launching the spawned processes with “-w” will trigger system-wide encryption, regardless of file extensions. By omitting the arguments, LockerGoga will encrypt a limited number of file extensions, speeding up the process. The affected files can be recognized by their new extension “.locked”. In the end, it will drop ransom notes in a few key folders, which contain instructions on how to recover the files and how to contact the cybercriminals (using the email addresses CottleAkela@protonmail.com or QyavauZehyco1994@o2.pl).
Even though it’s slow and the executable is signed, LockerGoga is stopped by Ranstop, partly because it is not using signatures to detect malware and because of its behavior analysis engine. Once a ransomware-like behavior is detected, it triggers Ranstop’s next engine, which detects which processes were involved in the encryption and stops/quarantines all of them. Each and every modified file is backed-up by Ranstop and recovered once a ransomware changes it. Because of this, no files are lost, and all encrypted files are recovered and restored to their original state without any user intervention, minimizing downtime.
LockerGoga ransomware test results
TEMASOFT Ranstop detects this version of LockerGoga ransomware soon after it starts encrypting files. Upon detection, alerts are fired off, and the malware process is stopped and quarantined. The affected files are automatically restored so that the user doesn’t lose any critical information.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.