Ransomware or Wiper? LockerGoga Straddles the Line
Ransomware attacks have been in the news with increased frequency over the past few years. This type of malware can be extremely disruptive and even cause operational impacts in critical systems that may be infected. LockerGoga is yet another example of this sort of malware. LockerGoga is a ransomware variant that, while lacking in sophistication, can still cause extensive damage when leveraged against organizations or individuals. Talos has also seen wiper malware impersonate ransomware, such as the NotPetya attack.
Earlier versions of LockerGoga leverage an encryption process to remove victim’s ability to access files and other data that may be stored on infected systems. A ransom note is then presented to the victim that demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted. Some of the later versions of LockerGoga, while still employing the same encryption, have also been observed forcibly logging the victim off of the infected systems and removing their ability to log back in to the system following the encryption process. The consequence is that in many cases the victim may not even be able to view the ransom note let alone attempt to comply with any ransom demands. These later versions of LockerGoga could then be described as destructive.
While the initial infection vector associated with LockerGoga is currently unknown, attackers can use a wide variety of techniques to gain network access including exploiting unpatched vulnerabilities and phishing user credentials. Expanding initial access into widespread control of the network is facilitated by similar techniques with stolen user credentials being an especially lucrative vector to facilitate lateral movement. For example, the actors behind the SamSam attacks leveraged vulnerable servers exposed to the internet as their means of obtaining initial access to environments they were targeting.