LockerGoga & MegaCortex Ransomware Attacks Lead to FBI Warning

by | Jan 6, 2020

The FBI has released a TLP:Amber alert as a reaction to a number of cyberattacks involving the ransomware strainsLockerGoga and MegaCortex. The threat actors employing these ransomware variants have been focusing on large enterprises and organizations and normally deploy the ransomware many months after a network has been infiltrated.

LockerGoga was first discovered in January 2019 and MegaCortex ransomware first registered during May 2019. Both ransomware strains exhibit similar IoCs and have similar C2 infrastructure and are both used in highly focused attacks on big corporate networks.

LockerGoga was implemented in the ransomware attacks on the U.S. chemical firms Hexion and Momentive, the aluminum and energy company Norsk Hydro, and the engineering consulting business, Altran Technologies. MegaCortex ransomware was deployed in the attacks on the accounting software firm Wolters Kluwer and the cloud hosting firm iNSYNQ, among others The threat actors are meticulous, methodical, and try to cause maximum damage to increase the probability that their victim’s will meet the ransom demands. These are often of the order of hundreds of thousands of dollars or higher.

The first compromise is achieved through a variety of methods including the exploitation of unpatched flaws, phishing attacks, SQL injection, brute force tactics on RDP, and the use of stolen credentials. Once infiltrated, the hackers run batch files to stop processes and services used by security solutions to ensure their presence is not discovered. The hackers move laterally to compromise as many devices as possible using a penetration testing tool titled Cobalt Strike, living-of-the-land Windows binaries, and legitimate software tools such as Mimikatz. A beacon is added to each infiltrated device on the network, which is used to run PowerShell scripts, escalate privileges, and spawn a new session to act as a listener on the victim’s system, according to the FBI warning, as reported by Bleeping Computer which downloaded a copy of the alert.

As opposed to many other threat actors who deploy ransomware soon after a system is infiltrated, the threat actors behind these attacks often wait several months before the ransomware encryption routine is triggered. It is not known what the threat actors do during that time, but it is likely the time is used to take sensitive data. The ransomware is deployed in the last stage of the attack once all useful data has been obtained from the victims.

The advice provided by the FBI to improve security is standard for stopping ransomware and other cyberattacks. Cybersecurity best practices should be adhered to, including backing up data regularly; storing backup copies on non-networked devices; testing backups to see to it that file recovery is possible; setting strong passwords; patching quickly; enabling multi-factor authentication, especially on admin accounts; ensuring RDP servers can only be accessed through a VPN; turning off SMBv1; and to search for open ports and block them to prevent them from being accessible.

The FBI also advises auditing the creation of new accounts and monitoring Active Directory for amendments to authorized users; enabling PowerShell logging and monitoring for unusual commands, such as the execution of Base64 encoded PowerShell; and ensuring only the most recent version of PowerShell is installed.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy