The Recent Widely Spreading Lockergoga Ransomware Infection Can Be Stopped by creating a Shortcut (LNKfile)


Lockergoga Ransomware

Lockergoga infection was first spotted in January 2019, the ransomware particularly targets on critical infrastructure.

The Lockergoga ransomware encrypts all the files in the system and appends .locked extension and leaves a ransom note in the desktop folder. It was written in C++ with the helper libraries such as Boost and Crypto++.

Now an Alert Logic researchers discovered a bug in the ransomware that halts the infection process in the initial reconnaissance stage itself.

Once the ransomware enters into the system it scans to gather file lists before it starts the encryption process.

At the time of scanning, it will come across the shortcut file(.lnk), if the shortcut file created with error, then the malware fails to handle it and get crash.

When it encounters a ‘.lnk’ file it will utilize the built-in shell32 / linkinfo DLLs to resolve the ‘.lnk’ path. However, if this ‘.lnk’ path has one of a series of errors then malware encounters an unhandled exception it is terminated by the operating system, reads Alert Logic blog post.

Read more…