The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

FBI Issues Alert on LockerGoga and MegaCortex Ransomware

by Chris Brook on Thursday January 2, 2020

Contact Us
Free Demo
Chat

The FBI sounded the alarm around two strains of ransomware, LockerGoga and MegaCortex, shortly before the holiday break.

Shortly before Christmas, the Federal Bureau of Investigation (FBI) issued an alert to organizations warning of attacks involving two strains of ransomware, LockerGoga and MegaCortex.

According to the warning, a Flash Alert marked TLP:Amber obtained by blog BleepingComputer, the FBI is stressing that the actual ransomware attack that stems from these two variants is just the final blow in what's often a months long con attackers carry out on corporate networks.

Once attackers gain a foothold within an organization, either with via an exploit, phishing attack, SQL injection, or via pilfered credentials, they often linger for months before triggering the final infections, the FBI warned. More often than not, attackers are using Cobalt Strike penetration tools to gain access and deploy “beacons,” which go on to "create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system,” the report says.

LockerGoga ransomware in particular has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands, the alert said - the biggest victim perhaps being Norsk Hydro, the Norwegian Aluminum manufacturer, that was knocked offline in March 2019.

MegaCortex, uncovered in May 2019, is similar to LockerGoga as far as its indicators of compromise (IOCs), command and control infrastructure go; it also targets enterprises, like LockerGoga.

Other details the FBI disclosed involve steps attackers take in wake of deploying the ransomware, like executing something called a kill.bat or stop.bat batch file - something that terminates processes and services related to security programs, disables Windows Defender scanning features, and disable security-related services.

While it shouldn't come as a surprise, the FBI recommends organizations take steps to backup data regularly, keep offline backups, and put steps in place to verify the integrity of their backup process.

In addition, the FBI is also encouraging organizations to take a following precautions:

  • Make sure all installed software and operating systems are kept updated. This helps to prevent vulnerabilities from being exploited by the attackers.
  • Enable two-factor authentication and strong passwords to block phishing attacks, stolen credentials, or other login compromises.
  • As publicly exposed remote desktop servers are a common way for attackers to first gain access to a network, businesses should audit logs for all remote connection protocols
  • Audit the creation of new accounts.
  • Scan for open or listening ports on the network and block them from being accessible.
  • Disable SMBv1 as numerous vulnerabilities and weaknesses exist in the protocol.
  • Monitor the organization's Active Directory and administrator group changes for unauthorized users.
  • Make sure you are using the most up-to-date PowerShell and uninstall any older versions.
  • "Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell"

Tags: Ransomware

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.