Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries
The actors behind the two ransomware were found using stolen login credentials, SQL injections, phishing attacks, and several other techniques to gain entry into a corporate network
The FBI has issued an alert to warn enterprises about LockerGoga and MegaCortex ransomware that are targeting large organisations and businesses in western countries.
"Since January 2019, LockerGoga ransomware has targeted large corporations and organisations in the United States, United Kingdom, France, Norway, and the Netherlands. The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (I0Cs), command and control (C2) infrastructure, and targeting similar to LockerGoga," the FBI said in a Flash Alert, according to the BleepingComputer.
As per FBI's alert, the actors behind the two ransomware are using a variety of tools and techniques, such as stolen login credentials, SQL injections, phishing attacks, and exploits to gain entry into a corporate network.
As it succeeds in infiltrating a machine, the malware installs a penetration testing tool, dubbed Cobalt Strike, which enables it to deploy "beacons," create shells, run PowerShell scripts, and perform privilege escalation on other machines present on the network.
For next few days or months, it carries out a series of malicious activity on the network, including data exfiltration to their command and control servers, deploying trojans, and comprising more servers and workstations.
Once they find some valuable data on the network, it starts deploying the MegaCortex or LockerGoga ransomware in order to encrypt the devices. And while doing that, it also runs a stop.bat or kill.bat batch file, which disables or terminates all security-related services on the system/network.
In March, Norway based Aluminum manufacturer Norsk Hydro was hit by LockerGoga ransomware, affecting the entire global organisation and causing a loss ranging between $30m to $40m for the company.
In August, Accenture iDefense researchers described campaigns that were found making use of MegaCortex v.2 and leaving ransom demands worth millions of dollars.
At this time there is no known way to decrypt or unlock files and systems encrypted by LockerGoga and MegaCortex ransomware.
To mitigate the threats posed by these two ransomware, FBI advises enterprises to ensure that they backup their data regularly (especially offline backups) and to also verify the integrity of their backup process.
According to FBI, a working backup enables organisations to restore their data without a need to pay ransom to cyber criminals.
Enterprises must also ensure that all installed software and operating systems on their network are updated and free of vulnerabilities.
Using strong passwords and two-factor authentication can also help an organisation to thwart attackers attempting to launch phishing attacks or using stolen credentials to gain an entry into the network.