As we recently reported, the Norsk Hydro plant in Norway was recently attacked by the so-called LockerGoga ransomware. LockerGoga ransomware encrypts the victim’s data and demands money in the form of a ransom payment to get it restored.
Researchers Discover Bug in LockerGoga Ransomware
Encrypted files are appended the .locked extension as a secondary one, without any changes made to the original name of an encrypted file. Now, it appears that the ransomware contains a bug in its code that may allow victims to “vaccinate” their computers, crashing the ransomware before it encrypts any local files.
The bug was discovered by Alert Logic researchers. It appears to be located in a subroutine of the ransomware which executes before the initiation of the encryption process. The subroutine can be described as a simple scan of all files on the affected system. With its help, the ransomware knows what files to encrypt. This is what the researchers said in their report:
Once the ransomware becomes resident on the victim host, it performs an initial reconnaissance scan to gather file lists before it executes its encryption routine. One type of file it may come across is the ‘.lnk’ file extension—a shortcut used in Windows to link files. When it encounters a ‘.lnk’ file it will utilize the built-in shell32 / linkinfo DLLs to resolve the ‘.lnk’ path. However, if this ‘.lnk’ path has one of a series of errors in it, then it will raise an exception—an exception which the malware does not handle.
Once the ransomware comes across an unhandled exception, it is terminated by the operating system, the researchers explained. All of this takes place during the reconnaissance phase which occurs before the encryption is started.
As a result, the ransomware will halt and cease any further attempts at encryption. The malicious file will still exist on the victim machine, but it will be effectively rendered inert, since it cannot effectively execute while the malformed ‘.lnk’ file remains.
The researchers identified two conditions for the ‘.lnk’ file which would allow it to interrupt the ransomware in its tracks:
– The ‘.lnk’ file has been crafted to contain an invalid network path;
– The ‘.lnk’ file has no associated RPC endpoint.
So, how can you trick LockerGoga before it encrypts your data?
Crafting a malformed ‘.lnk’ file can be an effective protection against execution of some samples of LockerGoga.
This simple trick may allow antivirus experts to create the so-called “vaccine”. A vaccine is an application that creates malformed LNK files on users’ computers to prevent the LockerGoga ransomware from running.
The bad news is that the present fix may only work for a while as ransomware creators are usually quick to find out about existing bugs in their code and fixing them in future releases.