LockerGoga Ransomware Har en bug, der Stopper Kryptering
CYBER NEWS

LockerGoga Ransomware Har en bug, der Stopper Kryptering

1 Star2 Stars3 Stars4 Stars5 Stars (Ingen stemmer endnu)
Loading ...

Som vi for nylig rapporteret, Norsk Hydro fabrikken i Norge blev for nylig angrebet af den såkaldte LockerGoga ransomware. LockerGoga ransomware krypterer offerets data og forlanger penge i form af en løsesum betaling for at få det restaureret.




Researchers Discover Bug in LockerGoga Ransomware

Krypterede filer er tilføjet den .locked udvidelse som en sekundær, uden nogen ændringer i forhold til det oprindelige navn på en krypteret fil. Nu, det ser ud til at the ransomware contains a bug in its code that may allow victims tovaccinatetheir computers, crashing the ransomware before it encrypts any local files.

Relaterede: Fjern LockerGoga Ransomware (.låst Udvidelse).

The bug was discovered by Alert Logic researchers. It appears to be located in a subroutine of the ransomware which executes before the initiation of the encryption process. The subroutine can be described as a simple scan of all files on the affected system. Med dens hjælp, the ransomware knows what files to encrypt. Dette er, hvad forskerne sagde i deres rapport:

Once the ransomware becomes resident on the victim host, it performs an initial reconnaissance scan to gather file lists before it executes its encryption routine. One type of file it may come across is the ‘.lnk’ file extension—a shortcut used in Windows to link files. When it encounters a ‘.lnk’ file it will utilize the built-in shell32 / linkinfo DLLs to resolve the ‘.lnk’ path. Men, if this ‘.lnk’ path has one of a series of errors in it, then it will raise an exception—an exception which the malware does not handle.

Once the ransomware comes across an unhandled exception, it is terminated by the operating system, forskerne forklarede. All of this takes place during the reconnaissance phase which occurs before the encryption is started.

Som et resultat, the ransomware will halt and cease any further attempts at encryption. The malicious file will still exist on the victim machine, but it will be effectively rendered inert, since it cannot effectively execute while the malformed ‘.lnk’ file remains.

The researchers identified two conditions for the ‘.lnk’ file which would allow it to interrupt the ransomware in its tracks:

The ‘.lnk’ file has been crafted to contain an invalid network path;
The ‘.lnk’ file has no associated RPC endpoint.

Relaterede: LockerGoga Ransomware Hits norske Hydro, Situationen ganske alvorlige.

Så, how can you trick LockerGoga before it encrypts your data?

Crafting a malformed ‘.lnk’ file can be an effective protection against execution of some samples of LockerGoga.

This simple trick may allow antivirus experts to create the so-calledvaccine”. A vaccine is an application that creates malformed LNK files on userscomputers to prevent the LockerGoga ransomware from running.

The bad news is that the present fix may only work for a while as ransomware creators are usually quick to find out about existing bugs in their code and fixing them in future releases.

Avatar

Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler! Følg Milena @Milenyim

Flere indlæg

Følg mig:
Twitter

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...