Blog: LockerGoga Ransomware Analysis by Adeel Javaid

LockerGoga Ransomware Analysis

Written by: Adeel Javaid

Ransomware is a type of malware that encrypts the files of its victims. The attacker then demands a ransom from the victim in exchange for restoring access to the data. Users are given information on how to obtain the decryption key by paying a charge. The fees can range from a few hundred dollars to thousands of dollars, and they are paid in Bitcoin to hackers.

There are several ways for ransomware to get access to a computer. Phishing spam – attachments sent to the victim in an email that appear to be a file they should trust — is one of the most popular delivery tactics. They can take over the victim’s computer once they’ve been downloaded and opened, especially if they contain built-in social engineering techniques that deceive victims into granting administrative access. Other, more aggressive ransomware, such as NotPetya, takes advantage of security flaws to infect machines without the need to deceive people.

Modern ransomware, such as WannaCry, Petya, NotPetya, and Locky, which affected multiple nations in 2017, uses a hybrid encryption strategy that combines AES and RSA encryption to prevent researchers from recovering encrypted files.

In order to understand the working and impact of ransomwares I did an analysis by sandboxing the LockerGoga ransomware. My analysis below not only shows detailed working of LockeGoga but also shows changes to key registry values that the ransomware makes. The purpose of this article is to help users secure themselves from such attacks.

What is LockerGoga?

LockerGoga is ransomware that downloads potentially malicious files to an infected computer, copy files to remote storage, encrypt files and local backups by adding .locked extension at the end of file name and asks for ransom money to decrypt files.

How Does LockerGoga Work?

In order to understand the working of LockerGoga ransomware we managed to run it in a sandboxed environment. We noticed that the application launches itself and starts cmd.exe for commands execution using the following command line.

C:\Windows\system32\cmd.exe /c move /y C:\Users\admin\AppData\Local\Temp\c97d9bbc80b573bdeeda3812f4d00e5183493dd0d580 5e2508728f65977dda15.exe C:\Users\admin\AppData\Local\Temp\tgytutrc7972.exe

It also creates files like ransomware instruction including the ransom note file README_LOCKED.txt:

access:

READ_CONTROL, SYNCHRONIZE, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_EA,

FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES

created:
CREATED

device:
DISK_FILE_SYSTEM

name: C:\Users\Public\Desktop\README_LOCKED.txt object:
FILE

operation:
CREATE

status:
0x00000000

Application then starts itself from another location:

C:\Users\admin\AppData\Local\Temp\c97d9bbc80b573bdeeda3812f4d00e5183493dd0d580 5e2508728f65977dda15.exe
Application then drops executable files immediately after start:
filename: C:\Users\admin\AppData\Local\Temp\tgytutrc7972.exe
md5: e11502659f6b5c5bd9f78f534bc38fea
sha1: b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b
sha256: c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15

Manifest file of application requires privilege escalation as admin to execute itself:

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

Dropped file tgytutrc7972.exe starts NET.EXE to view/add/change user profiles with privilege escalation as admin with user name HuHuHUHoHo283283@dJD.

cmdline: C:\Windows\system32\net.exe user admin HuHuHUHoHo283283@dJD image: C:\Windows\system32\net.exe

Dropped file tgytutrc7972.exe executes itself using the following command line: C:\Users\admin\AppData\Local\Temp\tgytutrc7972.exe –m
Application initializes the security descriptor using the InitializeSecurityDescriptor API to set the discretionary access control list using the SetSecurityDescriptorDacl API followed by setting owner information of the security descriptor using the SetSecurityDescriptorOwner API.

Application evaluates this information before it performs the escalation.

Analysis of LockerGoga Payload:

Dropped file tgytutrc7972.exe is the payload file of LockerGoga ransomware. It creates several PID processes to start the encryption of files. When we unpacked the sample we found .rdata file to load data in to the payload. We then run the binary analysis of .rdata file and found various strings from 00026b14-00026bd8 containing the extensions of files that the ransomware will encrypt. File extensions found included:
.lnk
.doc
.dot
.docx
.docb
.dotx dotb
.wkb
.xml
.xls
.xlsx
.xlt
.xltx
.xlsb
.xlw
.ppt
.pps
.pot
.ppsx
.pptx
.posx
.potx
.sldx
.pdf
.sql

Reference to ransom note text file was found at string value 0002903c while emails of attackers were found at string value 00028ffc of .rdata file. String value at 000290c0 contained netsh.exe for executing commands through remote shell.
Advapi32.dll was found at string value 0001de68.

How LockerGoga Creates Remote Shell:

LockerGoga uses CreateProcess API call to create a simple remote shell. One of the parameters to CreateProcess, the STARTUPINFO, includes a handle to the standard input, standard output and standard error streams for a process. Application set these values to a socket, which is bound to TCP port number, so that when it writes to standard output it is really writing to the socket which allows the attacker to execute the shell remotely using CreateProcess API call.

How LockerGoga Encrypts Files:

LockerGoga encrypts files using dropped DLL file advapi32.dll using EncryptFileA function. The legitimate Advapi32. dll is a dynamic link library file associated with the API services library that provides access to advanced functionality for windows system. Malwares and ransomwares replace the legitimate advapi32.dll file with the copy of malicious version of advapi32.dll through DLL Injection which is used to encrypt files using API calls to functions written in binary strings.

LockerGoga Payload file tgytutrc7972.exe spawned various processes after starting itself. At PID 2292 it changed 55 Registry Values to lock MS Word and Office Setup files. Below are some of registry values that the application changed.

write
+6437ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6437ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Name: SessionHash
Value: 25 06 F1 FE 6D B8 B0 40 F3 6F 8D 96 C6 57 07 94 97 5F F2 CA 43 B1 9A 84 A2 5B 8E 90 0E A7 39 F4

write
+6437ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Name: Sequence
Value: 1

write
+6453ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-0015-0410-0000-0000000FF1CE}-C\Setup.xml

write
+6453ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0002
Name: RegFilesHash
Value: 41 E2 D2 87 01 3B F8 6F 8B 33 C4 98 C7 D2 27 07 BE 02 A2 71 A1 0A 95 56 3A DE EB 52 7A AC EC EB

write
+6484ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6484ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Name: SessionHash
Value: 88 0F 18 BA 48 FF E8 59 4E CE 21 63 61 C9 FD 9B 35 F6 7D D6 6A 9B BD 5D C3 1B DC 76 E0 82 A5 15

write
+6484ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Name: Sequence
Value: 1

write
+6484ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-001B-040C-0000-0000000FF1CE}-C\WordMUI.xml

write
+6484ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0007
Name: RegFilesHash
Value: D3 09 85 99 51 ED 47 93 3E 52 F0 E5 FC 28 82 52 CB 05 28 4F 2E E4 A6 61 B9 32 1F 87 1A 80 72 C9

write
+6516ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6516ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Name: SessionHash
Value: 65 39 98 46 B2 55 9C 33 87 0C 89 29 2B 52 4D 9D 38 F3 31 96 63 A1 0F 49 FE 46 68 F7 03 37 8D 8B

write
+6516ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Name: Sequence
Value: 1

write
+6516ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-006E-0407-0000-0000000FF1CE}-C\OfficeMUI.xml

write
+6516ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0012
Name: RegFilesHash
Value: 48 E8 8B C1 4B FC 00 4A 28 44 92 6D 52 67 06 DB AC 5B 8E 99 99 4A B6 36 0F 0E 62 92 3E B5 9B F3

write
+6547ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6547ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Name: SessionHash
Value: 5A 8D 97 1E B9 63 62 04 AA 64 7B 2D EB 9B 0B 83 F7 C5 10 98 20 C4 A0 1C 36 30 9E F7 62 ED 0E 09

write
+6547ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Name: Sequence
Value: 1

write
+6562ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-001B-0407-0000-0000000FF1CE}-C\WordMUI.xml

write
+6562ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0017
Name: RegFilesHash
Value: FA 4D 08 F6 A1 FF 22 FB 16 AE 86 D3 65 87 2A 88 61 2A 4B F5 8E 6C 0C 08 B1 9F 19 0F 53 8D 4D 6F

write
+6625ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6625ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Name: SessionHash
Value: B2 4D C6 35 F5 55 28 AE 93 87 72 C4 A2 54 15 4D CB C7 9C 38 09 FB EA A4 DD 6A CF 87 E0 68 6A 27

write
+6625ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Name: Sequence
Value: 1

write
+6625ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-0044-041F-0000-0000000FF1CE}-C\InfoPathMUI.xml

write
+6625ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0023
Name: RegFilesHash
Value: 82 98 62 92 D8 84 1E 9B 59 1C 0E 4A 24 7A 8B 6E 73 3A D7 66 C9 3F 5E 85 72 35 66 C9 8C 3C CA 1F

write
+6687ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6687ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Name: SessionHash
Value: 21 7B 1E F6 E3 8F 6E B4 55 A4 4A A9 85 07 29 E9 70 2F 0D 00 B5 13 BB AE 63 ED 6B 04 03 F0 63 97

write
+6687ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Name: Sequence
Value: 1

write
+6687ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-0044-0419-0000-0000000FF1CE}-C\InfoPathMUI.xml

write
+6687ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0029
Name: RegFilesHash
Value: A3 15 0D 22 3B 75 6A B7 08 E8 AB E1 D7 BF 56 38 64 A5 B2 76 6C 7A C5 CD 25 11 88 1D 32 5A 20 56

write
+6750ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6750ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Name: SessionHash
Value: C5 1C 55 73 F8 78 B0 F3 DB 2C C9 84 BE F8 BE B1 50 86 67 F8 E2 10 D1 42 35 67 45 98 C9 DA 70 BE

write
+6750ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Name: Sequence
Value: 1

write
+6750ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-0044-0416-0000-0000000FF1CE}-C\InfoPathMUI.xml

write
+6750ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0034
Name: RegFilesHash
Value: 34 58 6A C5 D4 77 FE FE A4 2F A5 5D 52 5B FA 4D D2 7C 2D 3C 11 D2 04 31 3C 82 69 5E 9D 6C 63 5D

write
+6781ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6781ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
Name: SessionHash
Value: B7 ED F1 BE 23 E7 2C 5A DA F0 F3 76 67 F0 AD 0F A1 6C 03 72 DA 7B 90 A0 D0 8F 51 94 3F F6 B1 B9

write
+6781ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
Name: Sequence
Value: 1

write
+6781ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-001A-0419-0000-0000000FF1CE}-C\OutlookMUI.xml

write
+6797ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0039
Name: RegFilesHash
Value: AD 0F 89 3F 64 A5 E2 5D AC BE 5B 12 EE 46 80 E7 31 CC 60 BE FF 74 EA E6 44 5C B5 B7 7F 85 32 6C

write
+6828ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6828ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
Name: SessionHash
Value: 3B 6D 52 69 C5 8D 3C ED 50 09 F6 91 A1 DB 3C 1B 29 D4 9D 4B 22 9D 59 97 72 7F 13 7C A7 68 3E 19

write
+6844ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
Name: Sequence
Value: 1

write
+6844ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-0044-0410-0000-0000000FF1CE}-C\Setup.xml

write
+6844ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0044
Name: RegFilesHash
Value: 3D F7 8B C8 8D 71 FD 12 19 56 9E 14 77 08 FC B8 A5 84 0E 21 7E BF 24 BE 87 68 7A FB BE 54 14 9C

write
+6891ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0049
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6891ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0049
Name: SessionHash
Value: 02 87 C2 D7 C2 B3 E4 4C 71 69 EF 3E 55 2F A8 4E 0C 9A 04 58 51 C3 04 5B D7 5D 41 F4 DE 84 75 FC

write
+6891ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0049
Name: Sequence
Value: 1

write
+6891ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0049
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-0017-041F-0000-0000000FF1CE}-C\Setup.xml

write
+6891ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0049
Name: RegFilesHash
Value: C9 37 04 96 23 CF EF 2F 8B AC 95 8D 72 B4 2C BA 36 D5 21 65 13 BB 9F 88 B7 6B A8 45 51 EE D9 32

delete value
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: RegFilesHash
Value: D4 2B 25 A0 85 5B 75 C1 2E DA AA 5F CA C0 28 12 FF D2 37 4D 0A F0 06 0E 90 6E FD 0E A1 8F 2C 31

delete value
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-001B-040C-0000-0000000FF1CE}-C\Setup.xml

delete value
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: Sequence
Value: 1

delete value
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: SessionHash
Value: D4 6F 33 D5 57 63 03 78 74 DB F5 68 8C 17 F0 59 43 35 D9 2C 51 5D FF B5 DF DF EA 71 CE 0B 8D 05

delete value
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: Owner
Value: 68 0A 00 00 8B 91 DC C3 DD 45 D7 01

write
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: Owner
Value: F4 08 00 00 23 08 D3 C3 DD 45 D7 01

write
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: SessionHash
Value: 50 E2 C5 12 D5 83 FD B5 4F 99 56 8C 40 C2 7C F6 51 74 86 CE 62 97 8F 93 F4 BD C7 4C 63 EF EB C8

write
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: Sequence
Value: 1

write
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: RegFiles0000
Value: C:\MSOCache\All Users{90140000-0044-0407-0000-0000000FF1CE}-C\InfoPathMUI.xml

write
+6969ms
Key: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0010
Name: RegFilesHash
Value: A7 9B CA AA DC 01 9C FE E5 99 67 50 3E 10 5B 5E FF ED 7A 8E FC AA 0C 7C 0B 14 24 C1 38 48 92 6F


After modifying the registry values the application encrypted all word and setup files as shown in screen shot below and also dropped ransom note.

1644055789265

Payload spawned several other PID processes to encrypt files containing extensions in binary strings we discussed above. Payload uses following command line to encrypt files:

C:\Users\admin\AppData\Local\Temp\tgytutrc7972.exe -i SM-tgytutrc -s

LockerGoga Ransom Note:

With the encryption of files LockerGoga dropped Ransom Note containing instructions for paying ransom money and email addresses of attackers.

1644055901164

Both the email addresses shown in ransom note were also found in binaries.

1644056000083

How Does LockerGoga Evade Itself?

LockerGoga uses kernel based GetTickCount anti de-bugging technique. The instruction at 00016f88 will call kernel32.GetTickCount and PUSH that value on stack. It again makes the same call, subtracts that value from the one obtained previously and tests if it is zero. It continues this in loop until it gets the subtraction of these two values as zero. On every time this loop is executed, the value of kernel32.GetTickCount is pushed on the stack. Instruction at 0004425a IsDebuggerPresent let the malware know if it is running in Debugger Environment while instruction at 00043b62 GetProcAddress is used to hide API calls. VM detection artifact “CPUID trick” was also found in payload.

Our Debugger Results

We started LockerGoga in Debugger. Application set its own Entry Breakpoint and reached System Breakpoint after loading several DLL files. Before stopping the debugger application attempted to jump to SetSecurityDescriptorDacl at ordinal 1745 of advapi32.dll with Export function which shows that the first thing that LockerGoga application attempts is escalation of privileges but because of anti-debugger techniques the application reached System breakpoint without executing any function.

Initializing wait objects… Initializing debugger…
Initializing debugger functions…
Setting JSON memory management functions… Initializing Zydis…
Getting directory information… Start file read thread…
Retrieving syscall indices…
Symbol Path: C:\Users\Lenovo\x64dbg\release\x32\symbols Allocating message stack…
Initializing global script variables… Registering debugger commands… Registering GUI command handler… Registering expression functions… Registering format functions…
Registering Script DLL command handler… Starting command loop…
Initialization successful! Loading plugins…
Handling command line… “C:\Users\Lenovo\x64dbg\release\x32\x32dbg.exe” “” “” “” File does not exist!
Syscall indices loaded!

Error codes database loaded! Exception codes database loaded! NTSTATUS codes database loaded! Windows constant database loaded! Reading notes file…

File read thread finished!

Debugging: C:\Users\Lenovo\Downloads\c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977 dda15
Database file: C:\Users\Lenovo\x64dbg\release\x32\db\c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2 508728f65977dda15.dd32
Loading commandline…
Loading database from C:\Users\Lenovo\x64dbg\release\x32\db\c97d9bbc80b573bdeeda3812f4d00e5183493dd0 d5805e2508728f65977dda15.dd32 16ms
Process Started: 00280000 C:\Users\Lenovo\Downloads\c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2 508728f65977dda15
“C:\Users\Lenovo\Downloads\c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15” argv[0]: C:\Users\Lenovo\Downloads\c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dd a15
Skipping unsupported debug type IMAGE_DEBUG_TYPE_POGO in module c97d9bbc80b573bdeeda3812f4d00e518 3493dd0d5805e2508728f65977dda15…

Did not find any supported debug types in module c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e250872 8f65977dda15!

Breakpoint at 0031D54B (entry breakpoint) set!
DLL Loaded: 77250000 C:\WINDOWS\SysWOW64\ntdll.dll
DLL Loaded: 76AF0000 C:\WINDOWS\SysWOW64\kernel32.dll DLL Loaded: 768D0000 C:\WINDOWS\SysWOW64\KernelBase.dll DLL Loaded: 74A20000 C:\WINDOWS\SysWOW64\apphelp.dll DLL Loaded: 75EE0000 C:\WINDOWS\SysWOW64\shlwapi.dll DLL Loaded: 76FE0000 C:\WINDOWS\SysWOW64\msvcrt.dll Thread 450 created, Entry: ntdll.772A0D90
Thread 2804 created, Entry: ntdll.772A0D90
DLL Loaded: 75110000 C:\WINDOWS\SysWOW64\shell32.dll Thread 28C0 created, Entry: ntdll.772A0D90
DLL Loaded: 75E60000 C:\WINDOWS\SysWOW64\msvcp_win.dll DLL Loaded: 76D80000 C:\WINDOWS\SysWOW64\ucrtbase.dll DLL Loaded: 73E10000 C:\WINDOWS\SysWOW64\IPHLPAPI.DLL
DLL Loaded: 74310000 C:\WINDOWS\SysWOW64\netapi32.dll DLL Loaded: 76BE0000 C:\WINDOWS\SysWOW64\user32.dll DLL Loaded: 76130000 C:\WINDOWS\SysWOW64\win32u.dll DLL Loaded: 70B20000 C:\WINDOWS\SysWOW64\secur32.dll DLL Loaded: 75A60000 C:\WINDOWS\SysWOW64\gdi32.dll DLL Loaded: 76710000 C:\WINDOWS\SysWOW64\gdi32full.dll DLL Loaded: 75840000 C:\WINDOWS\SysWOW64\ole32.dll DLL Loaded: 76F20000 C:\WINDOWS\SysWOW64\rpcrt4.dll DLL Loaded: 75B70000 C:\WINDOWS\SysWOW64\combase.dll DLL Loaded: 76690000 C:\WINDOWS\SysWOW64\advapi32.dll DLL Loaded: 767F0000 C:\WINDOWS\SysWOW64\sechost.dll DLL Loaded: 770E0000 C:\WINDOWS\SysWOW64\ws2_32.dll DLL Loaded: 70B00000 C:\WINDOWS\SysWOW64\samcli.dll DLL Loaded: 742F0000 C:\WINDOWS\SysWOW64\netutils.dll DLL Loaded: 6FBC0000 C:\WINDOWS\SysWOW64\sspicli.dll System breakpoint reached!

Final Remarks

Our analysis clearly proves that LockerGoga is a ransomware which if installed can try to encrypt files on hard drive and any other local backup storage. Windows Defender was able to identify the ransomware by generating alert upon file download. Virus Total also identified LockerGoga as malicious.

Based upon our findings it is recommended that users should avoid downloading and installing files from unknown sources. Users should also keep their Windows up to date by patching it with updates. Users should also turn on Windows Defender for escalation of system security. Users should also create backup of files at remote storage but should avoid syncing the storage automatically because many new types of ransomwares can encrypt files on remote storage as well. In addition backup on local storage should also be avoided at any cost.

In case of being victim of LockerGoga or any other ransomware the users should first remove the ransomware using a reliable malware removal tool. Users can also remove malware registry entries from the registries we indicated in this write-up. Once the ransomware is removed from system users can then try to recover files using backup recovery from remote storage. Some data recovery tools can also be used to recover original version of encrypted files.

Users should remember that LockerGoga can swap with system to self-execute itself through original ransomware files kept in USB or on Network. So it is advised that USBs should also be scanned before opening them and network security across all connected PCs should also be ensured.


Adeel is a Chartered IT Professional, Registered Scientist with Science Council UK, Mile2 Certified Incident Handling Engineer, IBM Certified Enterprise Design Thinking Co-Creator and BCG Certified Strategy Consultant with 15 years experience in compliance, data protection, SOC 2 and ISO 27001 Controls Implementation, incident handling, secure software development, establishing and managing security operations center, purple teaming, reverse engineering, malware analysis, penetration testing, innovation, design thinking, ideating solutions, process improvement, data analytics and project management.

Very detailed write-up! Awesome work

1 Like

good one i hope most of the ransomeware working in same patten

1 Like

This was very insightful, Thanks for this!

1 Like

What a great job they did

1 Like

Hey @ajaviad! Thank you for this awesome blog! Very interesting and informative! Congratulations!

1 Like

Nice walkthrough of the process of analyzing the strain. Even if its an older one, the steps you go through, should still apply when doing other and newer types of mal-and ransomware analysis.

1 Like

Awesome and very detailed write-up! I love to see the deconstruction of such malware :slight_smile: thanks for sharing!

1 Like

great write up… super detail… keep it up

1 Like

This is brilliant! keep up the good work :grinning:

1 Like

Great info , keep this docs coming

1 Like

well written - thanks!

1 Like

That\s one heck of a detailed analysis, Adeel. Great job !

1 Like

Cool insights and well detail write up I must say. Keep up the good work!

1 Like

Brilliant technical and detailed write out, its insightful with many great analysis, thanks for the time and efforts put into this.

1 Like

Continuous employee training on phishing emails
Make sure all endpoints are installed with EDR
All devices are patched with latest patches.

Great understanding :slight_smile:

Great detailed analysis! Thanks for the share Adeel!

Very detailed! Great job!

Great explanation! Thank you!