{"id":87853,"date":"2019-07-03T12:48:00","date_gmt":"2019-07-03T07:18:00","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87853"},"modified":"2019-07-03T12:55:44","modified_gmt":"2019-07-03T07:25:44","slug":"ransomware-tool-lockergoga","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/ransomware-tool-lockergoga\/","title":{"rendered":"Ransomware As A Tool – LockerGoga"},"content":{"rendered":"

Ransomware authors keep experimenting with the development of payload in various dimensions. In the timeline of ransomware implementations, we have seen its evolution from a simple screen locker to multi-component model for file encryption, from novice approach to a sophisticated one. The Ransomware as a Tool has evolved in wild and one of them has been received in the Quick Heal lab. This sample is identified as LockerGoga<\/i><\/b><\/em><\/strong>\u00a0and it is unique as it acts as a tool giving various options for performing encryption.<\/p>\n

Like any standard command-line tool, LockerGoga Ransomware shows help information for reference. On execution with parameter -h, it shows options like \u201c-v\u201d for the print version of LockerGoga and \u201c-m\u201d [Email ID as an argument] parameter to specify email id of the attacker for payment, in case victim wants to decrypt encrypted files. The same email id is mentioned in ransom note to contact for price of decrypter.<\/p>\n

\"\"
Fig. 1: Command Line Options<\/figcaption><\/figure>\n

LockerGoga uses Boost library for parsing command line arguments.<\/p>\n

\"\"
Fig. 2: Implemented in Boost Library<\/figcaption><\/figure>\n

Last option in the command line tool \u201c-p\u201d allows to select the process in which malicious code needs to inject; if process name is not provided, then by default it will inject code into \u201cwinlogon.exe\u201c.<\/p>\n

The received sample contains four executable components inside it, such as<\/p>\n

    \n
  1. encrypt32.dll<\/li>\n
  2. encrypt64.dll<\/li>\n
  3. {random_name}.exe (32 bit)<\/li>\n
  4. {random_name}.exe (64 bit)<\/li>\n<\/ol>\n

    Upon execution, the malware drops dll component according to system architecture as mentioned above, at location %AppData%\/Local\/Temp<\/p>\n

    Then it will inject the shell code and RSA Public Key of 1024 bit to the process \u201cwinlogon.exe\u201d or in the process specified as an argument. The injected shell code is used to load dropped encrypt**.dll with the help of ldrloaddll.<\/p>\n

    The encrypt**.dll has an export function \u201cencryptStart\u201d. This function contains code used to enumerate all drives and folders to generate a list of files present in it. All files list is stored in file C:\\cl.log.<\/p>\n

    \"\"
    Fig. 3: Content of cl.log<\/figcaption><\/figure>\n

    For every single file listed in C:\\cl.log, it drops an executable file with {random name}.exe in %AppData%\/Local\/Temp or C:\\Windows\\Temp depending upon 64 or 32 bit architecture of the system and invoke that {random_named}.exe in a loop with -k{public key} {file_path(i.e. file to be encryp)} as the command line argument.<\/p>\n

    Unique thing about LockerGoga Ransomware is that for every single file, it creates a new process, encrypts that file and terminates that process. By this technique, it might evade anti-ransomware product.\u00a0While encryption happens, it consumes most of the CPU resources almost up to 90%.<\/p>\n

    \"\"
    Fig. 4: Encryption of files listed in C:\\cl.log<\/figcaption><\/figure>\n

    After finishing the encryption of each file, it writes file name in C:\\cl.log.<\/p>\n

    Encryption Process:<\/b><\/strong><\/p>\n

    It uses two encryption algorithms, AES-128bit for file content encryption and RSA-1024 bit to encrypt AES key used for file content encryption.<\/p>\n

    Generation of AES Key:<\/b><\/strong><\/p>\n

    \u00a0<\/b><\/strong>Initially, it used \u201cCryptGenRandom\u201d API to generate the random seed of 32(20h) bytes. Then it used another 32(20h) byte from resource section to make a key stack of 40h byte, which was used for generating AES key.<\/p>\n

    Along with Boost library, LockerGoga Implements Crypto++ Library for encryption process which makes reversing the sample very difficult.<\/p>\n

    \"\"
    Fig. 5: Random seed from Crypt Random<\/figcaption><\/figure>\n
    \"\"
    Fig. 6: Generation of AES Key<\/figcaption><\/figure>\n

    Implementation of Crypto++ library enables AES new instruction set (AES-NI) which were introduced by Intel in 2009.<\/p>\n

    AESKEYGENASSIST and AESENC instruction are used to implement AES encryption,<\/p>\n

    AESKEYGENASSIST is used for round key expansion and AESENC is used to perform one round encryption of AES.<\/p>\n

    \"\"<\/p>\n

    \"\"
    Fig 7: AES-NI instructions<\/figcaption><\/figure>\n

    After all above operations, it generates 32-byte data from which 16 bytes are used as Key and other 16 bytes as an Initialization Vector (IV).<\/p>\n

    \"\"
    Fig 8: AES Key and IV layout<\/figcaption><\/figure>\n

    Malware changes file extension to .locked before encrypting it.<\/p>\n

    \"\"<\/p>\n

    \"\"<\/p>\n

    \"\"
    Fig. 9: File Rename to .locked<\/figcaption><\/figure>\n

    The public key used in the encryption is in PEM format<\/p>\n

    \"\"
    Fig. 10: Public key used in this variant<\/figcaption><\/figure>\n

    Convert them into Microsoft Blob format shown below.<\/p>\n

    \"\"
    Fig 11: Public key in MS BLOB Format<\/figcaption><\/figure>\n
    \"\"
    Fig 12: AES Key and IV encrypted with RSA Public Key<\/figcaption><\/figure>\n

    Along with Key (10h), IV (10h) and 8h bytes used as file size (i.e. file to be encrypted) are encrypted by RSA-1024 bit with \u2018MGF1 (SHA-1)\u2019 (i.e. mask generation function for the OAEP padding scheme) and appended to the end of the file.<\/p>\n

    \"\"
    Fig 13: File Content Encrypted with AES Key and IV<\/figcaption><\/figure>\n

    After that it encrypts the file content with AES key and IV in CTR mode with a key length of 128 bits.<\/p>\n

    Conclusion:<\/b><\/strong><\/p>\n

    LockerGoga has shown a unique and rare mechanism for encrypting files by creating one master and multiple slave process.<\/p>\n

    Key features:<\/b><\/strong><\/p>\n

    Use Boost Library for handling complex mathematical computation.<\/p>\n

    Instead of using Microsoft Crypto API for encryption, implemented the Crypto++ library (Boost Software License)<\/p>\n

    IoCs:<\/b><\/strong><\/p>\n

    1E8A6AABF4ADF3AE1890A4C8A2CFF276 – LockerGoga<\/p>\n

    91976DBD489FEAE2D8719545C8DE304A- encrypt32.dll<\/p>\n

    174E3D9C7B0380DD7576187C715C4681-encrypt64.dll<\/p>\n

    E9E6EBC6A0D5183FC8E66472B3419F1E-{random_name}.exe-64 bit<\/p>\n

    A52F26575556D3C4ECCD3B51265CB4E6 – {random_name}.exe-32 bit<\/p>\n

    Subject Matter Expert:<\/b><\/strong><\/p>\n

    Goutam Tripathy,\u00a0Rahul Sharma,\u00a0Manisha Prajapati\u00a0| Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

    Ransomware authors keep experimenting with the development of payload in various dimensions. In the timeline of ransomware implementations, we have seen its evolution from a simple screen locker to multi-component model for file encryption, from novice approach to a sophisticated one. The Ransomware as a Tool has evolved in wild and one of them has […]<\/p>\n","protected":false},"author":51,"featured_media":87872,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1653,285,164,24,75,910,1210],"tags":[22,50,47],"class_list":["post-87853","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-antivirus","category-applications","category-cyber-crime","category-malware","category-microsoft-windows","category-ransomware","category-threat-report-2","tag-email-malware","tag-ransomware","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87853"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87853"}],"version-history":[{"count":2,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87853\/revisions"}],"predecessor-version":[{"id":87874,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87853\/revisions\/87874"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87872"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}