Halting the Lockergoga Ransomware

Most of the time attackers exploit coding errors in applications to get access to systems and data but every so often we get a chance to exploit their lack of testing and resulting coding errors to affect their malicious code. In this case a simple error in a piece of malware gives us an opportunity.

The Lockergoga ransomware has been implicated in a series of damaging infections across the world—most notably in disabling the multinational manufacturing company Norsk Hydro. Several vendors have published analyses of the ransomware—so this blog won’t re-tread those steps—however, we have uncovered a coding error that could be used to stop the spread of this malware. We don’t have access to all samples, so we are still evaluating to determine how many variants this strategy will be effective against.

The Missing .lnk

Once the ransomware becomes resident on the victim host, it performs an initial reconnaissance scan to gather file lists before it executes its encryption routine. One type of file it may come across is the '.lnk' file extension—a shortcut used in Windows to link files. When it encounters a '.lnk' file it will utilize the built-in shell32 / linkinfo DLLs to resolve the '.lnk' path. However, if this '.lnk' path has one of a series of errors in it, then it will raise an exception—an exception which the malware does not handle.

Once the malware encounters an unhandled exception it is terminated by the operating system (as is standard procedure). And this occurs during the reconnaissance phase, which happens before encryption even begins. As a result, the ransomware will halt and cease any further attempts at encryption. The malicious file will still exist on the victim machine, but it will be effectively rendered inert, since it cannot effectively execute while the malformed '.lnk' file remains.

We have identified two conditions for the '.lnk' file which would allow it to halt the ransomware in its tracks:

  • The '.lnk file has been crafted to contain an invalid network path
  • The '.lnk' file has no associated RPC endpoint

Note that in our testing these '.lnk' files had to be resident in the 'Recent Items' folder.

Remediation

Crafting a malformed '.lnk' file can be an effective protection against execution of at least some samples of this ransomware campaign. Of course, if ransomware has become resident on your system then there is still some exploit or misconfiguration which attackers are using to deliver this payload—and it's of the utmost importance that that entry point is identified and closed as soon as possible.

About Alert Logic Threat Research

Alert Logic routinely tracks emerging vulnerabilities and active use of new exploits in the wild. This allows us to keep up with the latest tools, techniques, and practices of attackers and provide protection for our customers for their most critical threats.

Update

The findings of the Alert Logic Threat Intelligence team described here have been included in the CIS Security Primer - Lockergoga white paper, which is cited by the US-CERT as a primary resource for addressing the threat from Lockergoga ransomware. The CIS white paper explains:

"Cybersecurity vendor Alert Logic reports that there is currently a flaw in some LockerGoga variants where the ransomware will not encrypt anything if it comes across a .lnk file. LNK is a file extension for a Microsoft Windows shortcut file to point to an executable file. Since this discovery is public knowledge, it is highly likely that the malware authors are aware and will resolve the issue in future variants."