Coding Error Could Enable Users to Halt LockerGoga Ransomware


Users could potentially use a coding error in some variants of LockerGoga to halt the ransomware’s encryption routine in its tracks.

In its analysis of LockerGoga, Alert Logic Threat Research found that the ransomware performs an initial reconnaissance scan through which it collects file lists once it’s infected a machine. The malware may come in contact with a .lnk file over the course of this phase. If it does, it’ll attempt to use its hardcoded shell32 / linkinfo DLLs to resolve the ‘.lnk’ path.

This is all well and good for the threat if the .lnk file is properly formed. But if it contains errors, Alert Logic’s researchers found that the file will raise an exception which the ransomware can’t handle. As a result, the operating system will terminate the malware before it runs its encryption process, thereby effectively rendering it inert on the infected machine.

Researchers found that two conditions can render a .lnk file suitably malformed so as to incapacitate LockerGoga. First, the asset contains an invalid network path. Second, it has no associated RPC endpoint.

Alert Logic found that these files work best in the ‘Recent Items’ folder.

This discovery comes at a welcome time. Norsk Hydro, one of the world’s largest aluminum producers, revealed a week earlier how ransomware had disrupted parts of its production infrastructure. Reuters later learned from Norwegian National Security Authority (NNSA) that LockerGoga was responsible for this attack.

Norsk Hydro statement on a March 2019 ransomware attack

Creating a malformed .lnk file can help users protect themselves against LockerGoga. But as Alert Logic rightly explains in a blog post, by no means does this method offer comprehensive protection: