Investigation Into LockerGoga Ransomware Finds Flaws in the Code

Preliminary analysis of LockerGoga shows it has, in its current forms, limited ability to spread in a network.

LockerGoga is ransomware that has recently affected some high-profile industrial manufacturers like
Norse Hydro
, Hexicon and Momentive.
Preliminary analysis of it shows it has, in its current forms, limited ability to spread in a network. Some analysts think that it spreads within a company by leveraging Active Directory.
Some think
that it may use the server message block (SMB) protocol, which would mean that the ransomware manually copies files from computer to computer. But Palo Alto Networks has found 31 variants of the code thus far, so there is always the possibility that other means may be employed.
The malware seems to be more sophisticated than other ransomware due to its use of undocumented Windows API calls.
But its not perfect.
Alert Logic found some rather interesting characteristics about the malware that it
posted on its blog
. They admit that they are not sure if what they found is true for all the variants in the wild, but is certainly worth consideration.
They found that, Once the ransomware becomes resident on the victim host, it performs an initial reconnaissance scan to gather file lists before it executes its encryption routine. One type of file it may come across is the .lnk file extension -- a shortcut used in Windows to link files. When it encounters a .lnk file it will utilize the built-in shell32 / linkinfo DLLs to resolve the .lnk path. However, if this .lnk path has one of a series of errors in it, then it will raise an exception—an exception which the malware does not handle. This causes direct effects. Namely, if the malware does not handle an exception, it will be terminated by the operating system. That is standard behavior.
That means that in this case the malware stops before it encrypts, since the file review process is done first. The malware file will still be present on the victim machine, but it will be inert.
Alert Logic found a .lnk file will stop the malware if it is resident in the Recent Items folder and if it has been crafted to contain an invalid network path. Also, the .lnk file should have no associated RPC endpoint.
So, creating a malformed .lnk path can inoculate against some of the variants of this ransomware. It wont protect against whatever method was used by the ransomware to gain a foothold on the system, so that must also be performed.
Cisco Talos
found
that some of the newer variants of the malware will forcibly log the victim off from the infected system as well as remove their ability to log back in following the encryption process. They cannot then attempt to comply with any ransom demands. This variant should be considered destructive.
It can only be hoped that the threat actors do not learn from their mistake and come up with a way to perform exception handling in a newer version. But for the moment, this is a way to put up roadblocks in the ransomwares path.
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Investigation Into LockerGoga Ransomware Finds Flaws in the Code