S0372 LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.21
| Item | Value |
|---|---|
| ID | S0372 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 16 April 2019 |
| Last Modified | 08 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1531 | Account Access Removal | LockerGoga has been observed changing account passwords and logging off current users.12 |
| enterprise | T1486 | Data Encrypted for Impact | LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.123 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | LockerGoga installation has been immediately preceded by a “task kill” command in order to disable anti-virus.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | LockerGoga has been observed deleting its original launcher after execution.1 |
| enterprise | T1570 | Lateral Tool Transfer | LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.2 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | LockerGoga has been signed with stolen certificates in order to make it look more legitimate.3 |
| enterprise | T1529 | System Shutdown/Reboot | LockerGoga has been observed shutting down infected systems.3 |
| ics | T0827 | Loss of Control | Some of Norsk Hydro’s production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations. 5 4 |
| ics | T0828 | Loss of Productivity and Revenue | While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. 54 |
| ics | T0829 | Loss of View | Some of Norsk Hydro’s production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations. 5 4 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 | 6 |
References
-
CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019. ↩↩↩↩
-
Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. ↩↩↩↩
-
Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019. ↩↩↩↩
-
Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ↩↩↩
-
Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ↩↩↩
-
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. ↩