Users could potentially use a coding error in some variants of LockerGoga to halt the ransomware’s encryption routine in its tracks.
In its analysis of LockerGoga, Alert Logic Threat Research found that the ransomware performs an initial reconnaissance scan through which it collects file lists once it’s infected a machine. The malware may come in contact with a .lnk file over the course of this phase. If it does, it’ll attempt to use its hardcoded shell32 / linkinfo DLLs to resolve the ‘.lnk’ path.
This is all well and good for the threat if the .lnk file is properly formed. But if it contains errors, Alert Logic’s researchers found that the file will raise an exception which the ransomware can’t handle. As a result, the operating system will terminate the malware before it runs its encryption process, thereby effectively rendering it inert on the infected machine.
Researchers found that two conditions can render a .lnk file suitably malformed so as to incapacitate LockerGoga. First, the asset contains an invalid network path. Second, it has no associated RPC endpoint.
Alert Logic found that these files work best in the ‘Recent Items’ folder.
This discovery comes at a welcome time. Norsk Hydro, one of the world’s largest aluminum producers, revealed a week earlier how ransomware had disrupted parts of its production infrastructure. Reuters later learned from Norwegian National Security Authority (NNSA) that LockerGoga was responsible for this attack.
Creating a malformed .lnk file can help users protect themselves against LockerGoga. But as Alert Logic rightly explains in a blog post, by no means does this method offer comprehensive protection:
…If ransomware has become resident on your system then there is still some exploit or misconfiguration which attackers are using to deliver this payload—and it’s of the utmost importance that that entry point is identified and closed as soon as possible.
Security professionals should therefore use a patch management program to keep their operating system and other crucial software up to date. They should also use these additional ransomware prevention tips.