FBI warns of LockerGoga and MegaCortex ransomware attacks
by Rick Kuwahara COO of Paubox
The FBI is alerting private industry to the dangerous threat from LockerGoga and MegaCortex ransomware.
These infections compromise an organization’s network and then encrypt all its devices using malware. Attackers demand a large ransom payoff to decrypt the enterprise’s data.
According to Bleeping Computer, the FBI’s alert states, “Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands.”
What to expect during an attack
Attackers gain access to a network by using exploits, phishing, SQL injections, and stolen login credentials. They also often apply Cobalt Strike penetration testing tools.
Once a network is compromised, the attackers usually linger on the network for months before deploying ransomware. While the attackers are in an organization’s network, they extract data, utilize information-stealing trojans, and ruin workstations and servers.
After the network is cleaned out of anything valuable, the attackers will begin to encrypt devices on the network with the LockerGoga or MegaCortex ransomware infections. During the ransomware attack, a kill.bat or stop.bat batch file is executed that shuts down security programs and related services.
What to do to minimize risk
The FBI recommends that organizations have up-to-date backups, stored offline. This way all systems can be restored from these backups.
Additional guidance offered by the FBI includes to:
- Prevent vulnerabilities from being exploited by keeping installed software and operating systems updated
- Make sure two-factor authentication is enabled along with strong passwords to halt phishing, stolen credentials, and other login issues
- Audit logs for all remote connection protocols and the creation of new accounts
- Block open or listening ports on the network from being accessible
- Disable the protocol SMBv1 as it contains numerous vulnerabilities
- Check Active Directory and administrator group changes for unauthorized users
- Use the most up-to-date PowerShell and set up logging and monitor for unusual commands, especially Base 64
Unfortunately, every organization — from nonprofits to healthcare providers, municipalities, and large corporations — can become a victim to LockerGoga and MegaCortex Ransomware.
As the FBI makes clear, the best defenses must be put in place to remain vigilant against attack and have a strong email security strategy in place.