---

SafeBreach Labs added new LockerGoga simulations to its Hacker’s Playbook™ on 3/21/2019. LockerGoga is currently among the most active and serious instances of ransomware. It was discovered after successful attacks were launched against several European utilities, resulting in a shutdown of France’s Altran Technologies network and applications and Norsk Hydro’s connectivity losses that resulted in production plant stoppages.

LockerGoga works by changing user account passwords and logging users off the infected system. It then relocates to a temp folder and renames itself via the command line (cmd). Next, it then enumerates the Wi-Fi and/or Ethernet network adapters and disables them through the CreateProcessWfunction command (_netsh.exe interface set interface DISABLE_) to isolate the system from any network.

The SafeBreach Breach and Attack Simulation Platform has been updated to test customer defenses against the following known LockerGoga’s techniques:

Playbook #2229 – Write LockerGoga malware to disk (WINDOWS) (Host-Level):

• Endpoint Controls – Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook #2230 – Transfer of LockerGoga malware over HTTP/S (Lateral Movement)

• Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #2231 – Transfer of LockerGoga malware over HTTP/S (Infiltration)

• Network Controls – Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #2232 – Email LockerGoga malware as a ZIP attachment (Lateral Movement)

• Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook #2233 – Email LockerGoga malware as a ZIP attachment (Infiltration)

• Email Controls – Are security controls in place to scan and identify email for the malicious payloads used in this attack?