Blog

Ranstop blocks LockerGoga ransomware

Test subject – LockerGoga ransomware

The French-based engineering research and consulting firm “Altran Technologies ” was hit by a ransomware on the 24th of January. The attack spread through their network, including offices located in other countries, because of the opened network connections and shared folders mounted on the attacked systems. Altran took immediate actions, shutting down its entire network and “mobilizing leading global third-party technical experts and forensics”, according to their statement.

Soon after, security researchers have come to the conclusion that the malware used in the attack was the ransomware LockerGoga. MalwareHunterTeam researchers found this name in the path used for compiling the source code. The first sample was uploaded to VirusTotal from Romania, and “Goga” is a Romanian name, which raises the question if the malware was developed in Romania. The ransomware is also digitally signed, initially with a valid certificate issued to an IT consulting firm located in the UK, named MIKL Limited. The certificate was later revoked, but the efforts to avoid detection and not raise suspicions are certainly visible.

LockerGoga ransomware test facts

Upon execution in our test environment, the malware spawned as many processes as the number of attacked files, named very similarly to some Windows executables, like “svch0st” or  “svchub”. Each of them encrypts one file so that the entire process takes some time (but not that much, we have seen much slower ransomware). It supports arguments, and launching the spawned processes with “-w” will trigger system-wide encryption, regardless of file extensions. By omitting the arguments, LockerGoga will encrypt a limited number of file extensions, speeding up the process. The affected files can be recognized by their new extension “.locked”. In the end, it will drop ransom notes in a few key folders, which contain instructions on how to recover the files and how to contact the cybercriminals (using the email addresses CottleAkela@protonmail.com or QyavauZehyco1994@o2.pl).

Even though it’s slow and the executable is signed, LockerGoga is stopped by Ranstop, partly because it is not using signatures to detect malware and because of its behavior analysis engine. Once a ransomware-like behavior is detected, it triggers Ranstop’s next engine, which detects which processes were involved in the encryption and stops/quarantines all of them. Each and every modified file is backed-up by Ranstop and recovered once a ransomware changes it. Because of this, no files are lost, and all encrypted files are recovered and restored to their original state without any user intervention, minimizing downtime.

LockerGoga ransomware test results

TEMASOFT Ranstop detects this version of LockerGoga ransomware soon after it starts encrypting files. Upon detection, alerts are fired off, and the malware process is stopped and quarantined. The affected files are automatically restored so that the user doesn’t lose any critical information.


Click here to watch TEMASOFT Ranstop blocking LockerGoga ransomware (video)!

Learn how to protect against ransomware!

About TEMASOFT Ranstop

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.


 
 

This post was last modified on August 21, 2023 7:26 am

FM Team

Share
Published by
FM Team

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023