The FBI issued an alert to private industry on the threat for infections of both LockerGoga and MegaCortex. According to the FBI report, both ransomwares have been seen gaining their initial hold on target networks through the use of phishing attacks, SQL injection, stolen login credentials, and exploits. Prior to deploying either LockerGoga or MegaCortex, the group will install Cobalt Strike–a common security tool utilized by penetration testers, and then wait quietly inside their victims’ network for months before deploying either ransomware. According to the FBI report, once the attackers deploy either ransomware, they will execute a kill.bat or stop.bat batch file that terminates processes and services related to security programs, disables Windows Defender scanning features, and disable security-related services. The threat actors will also use a variety of LOLBins and legitimate software such as 7-Zip, PowerShell scripts, wmic, nslookup, adfind.exe, mstds.exe, Mimikatz, Ntsdutil.exe, and massscan.exe.
Analyst Notes
: Whenever defending against ransomware, one of the most important mitigation steps than can ever be taken is to regularly backup data and store those backups offline, which ensure the integrity of the backups. The FBI also suggest the following:
• Make sure all installed software and operating systems are kept updated. This helps to prevent vulnerabilities from being exploited by the attackers.
• Enable two-factor authentication and strong passwords to block phishing attacks, stolen credentials, or other login compromises.
• As publicly exposed remote desktop servers are a common way for attackers to first gain access to a network, businesses should audit logs for all remote connection protocols.
• Audit the creation of new accounts.
• Scan for open or listening ports on the network and block them from being accessible.
• Disable SMBv1 as numerous vulnerabilities and weaknesses exist in the protocol.
• Monitor the organization’s Active Directory and administrator group changes for unauthorized users.
• Use the most up-to-date PowerShell and uninstall any older versions.
• Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell.
It is important to note that this notice was originally released as TLP:Amber. TLP:Amber means that disclosure of the information is to be limited. This means that those who are sent TLP:Amber information from the FBI may share it within their own organization or with clients/customers who may be vulnerable as well. Bleeping Computer should not have shared this information publicly as they did. Anytime that specifics of exactly how a threat actor operates are shared too publicly, it can have a negative effect on the organization’s ability to detect that threat actor in the future. By publicly advising on what tool the operators behind LockerGoga and MegaCortex are using, it now encourages the attackers to change their tools to avoid detection. Cobalt Strike has a number of options when it comes to tools that it can use, if the attackers choose to change from utilizing wmic to winrm it would make detection much more difficult when the group moves laterally within a victim’s network. More information on what has been made public from this TLP:Amber report can be found at: https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/
