The Ransomware Race

Ransomware attacks are common reality. However, the recent variants of LockerGoga ransomware have made it to the headlines with massive attacks on industrial environments, most prominent of which was Norsk Hydro, with production downtime and estimated losses of approximately $40,000,000 in damages.

Cynet  vs. LockerGoga – Full Protection

As soon as we have learned about the attack, CyOps, Cynet’s team of 24/7 analysts and threat researchers, began searching throughout our install base, and indeed we found out that several instances of different LockerGoga variants attempted to run but were blocked and terminated by Cynet.

Investigation Findings Overview

While investigating LockerGoga, we witnessed a few advanced characteristics that indicate this ransomware is a work in progress, meaning it is going to be improved.

The efficiency of LockerGoga’s latest variant contains:

  1.       Ability to move around the network using Server Message Block (SMB) protocol.
  2.       Dry Run feature – running and gathering information without encrypting files.
  3.       Single file encryption – the ability to encrypt a targeted single file.
  4.       Super-fast encryption – using child processes and chunk-based encryption for large files.
  5.       Digital certificate used in order to bypass security controls.

An additional feature investigated is the importation of WS2_32.dll. It is possible to allow network communication capabilities, including C2C communication.

This highlights again the importance of protection measures that aren’t tailored to a specific threat, but rather focused on identifying and obstructing the core operation that various malware families have in common.

Cynet Ransomware Protection – Chaining Behavioral Analysis and Deception

Cynet provides full protection against LockerGoga ransomware, utilizing its set of real-time memory behavior analysis engines and killing its related processes without having any impact. One of the mechanisms Cynet uses to block the ransomware is to deceive it with planted decoy files which, by default, are the first to be encrypted, luring the ransomware to reveal its true nature – and get terminated – without causing harm to real files.     

Watch the video of Cynet’s LockerGoga protection – first the video without Cynet:

 

Now let’s take a look again, this time with Cynet:

 

Learn more about the Cynet Breach Protection Platform here.

Sign up for a free Cynet trial here.