The list of files to encrypt is taken from the master process via IPC, an interface used to share data between applications in Microsoft Windows. Each slave process will encrypt only a small number of files, to avoid heuristic detections available in endpoint security products. The slave processes will be executed with a different set of parameters as shown below. The master process runs with the -m parameter and is responsible for creating the list of files to encrypt and spawning the slaves. The malware begins its infection on an endpoint by installing a copy of itself on the %TEMP% folder.Īfter being copied, it will start a new process with the -m parameter. LockerGoga works in a master/slave configuration. The ransomware needs be executed from a privileged account. Most of the LockerGoga samples work the same way but we observed how they added and removed certain types of functionality during their development lifecycle. Like other types of malware, LockerGoga will use all the available CPU resources in the system, as we discovered on our machines: One of the main differences between LockerGoga and other ransomware families is the ability to spawn different processes in order to accelerate the file encryption in the system: In order to uncover its capabilities, we analyzed all the samples we found, discovering similarities between them, as well as how the development lifecycle adds or modifies different features in the code to evolve the ransomware in a more professional tool used by the group behind it. Based on our research, and compared with other families, it has a few unique functions and capabilities that are rare compared to other ransomware families that have similar objectives and/or targeted sectors in their campaigns. LockerGoga is a ransomware that exhibits some interesting behaviors we want to highlight. We will describe how this new ransomware works and detail how enterprises can protect themselves from this threat. In this blog, we will look at the findings of the McAfee ATR team following analysis of several different samples. LockerGoga, which adds new features to the tried and true formula of encrypting victims’ files and asking for payment to decrypt them, has gained notoriety for the targets it has affected. Once again, we have seen a significant new ransomware family in the news.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |