SafeBreach Labs added new LockerGoga simulations to its Hacker's Playbook™ on 3/21/2019. LockerGoga is currently among the most active and serious instances of ransomware. It was discovered after successful attacks were launched against several European utilities, resulting in a shutdown of France’s Altran Technologies network and applications and Norsk Hydro’s connectivity losses that resulted in production plant stoppages.
LockerGoga works by changing user account passwords and logging users off the infected system. It then relocates to a temp folder and renames itself via the command line (cmd). Next, it then enumerates the Wi-Fi and/or Ethernet network adapters and disables them through the CreateProcessWfunction command (netsh.exe interface set interface DISABLE) to isolate the system from any network.
The SafeBreach Breach and Attack Simulation Platform has been updated to test customer defenses against the following known LockerGoga’s techniques:
Playbook #2229 - Write LockerGoga malware to disk (WINDOWS) (Host-Level):
Playbook #2230 - Transfer of LockerGoga malware over HTTP/S (Lateral Movement)
Playbook #2231 - Transfer of LockerGoga malware over HTTP/S (Infiltration)
Playbook #2232 - Email LockerGoga malware as a ZIP attachment (Lateral Movement)
Playbook #2233 - Email LockerGoga malware as a ZIP attachment (Infiltration)