Jump to content

LockerGoga Ransomeware

Doc396
 Share

Recommended Posts

Doc396

Doc396

Posted
Posted

Simple Questions....  

1. Does Malwarebytes protect from Lockergoga Ransomware ?

2. Can Malwarebytes scan for and find Lockergoga ransomware ?

With all the hype about this Ransomware in the past few weeks I find it strange that the Malwarebytes site, has no reference to it.

Thanks Doc

 

Link to post
Share on other sites
exile360

exile360

Posted
Posted
21 hours ago, Doc396 said:

2. Can Malwarebytes scan for and find Lockergoga ransomware ?

One important thing to keep in mind with regards to ransomware in general is that even if you are able to detect and remove it after the fact, doing so does not restore/unencrypt any files/data that the ransomware encrypted so prevention along with offsite data backups are very important.

Malwarebytes Premium does include signature-less behavior based protection from ransomware through its Ransomware Protection component which monitors all processes/threads in memory for ransomware behavior in order to intercept, stop and quarantine any ransomware that may have slipped through when it attempts to begin encrypting data/removing files etc., and the more proactive components of protection such as Web Protection, Malware Protection and especially Exploit Protection will often stop an attack before it even gets to the point of the ransomware making it onto the system thus greatly reducing the risk of any data loss.

If you're curious, you may find the information and diagram on this page to be informative.  It explains how the various layers of defense in Malwarebytes Premium work to shield systems from malware by interrupting and shutting down attacks during various phases of the kill chain/attack chain and more often than not, ransomware employs exploits as a means of getting onto users' systems, meaning Malwarebytes will often stop the attack much earlier before the actual ransomware binary ever reaches the system.  In the particular case of LockerGoga, at least based on what I've read so far, it seems that the attacks were very targeted, focusing only on specific industrial/business targets, not general home users so the chances of being attacked by this threat are very unlikely.  It also appears that phishing may have been used as the attackers apparently seemed to already have user credentials for the targets they attacked which also unfortunately means that at that point the bad guys could do virtually anything, with or without the ransomware itself (for example, they could have installed a RAT (Remote Access Trojan) and taken complete control of the systems they infiltrated, installed a keylogger, harvested data, or even just wiped the systems completely if they so desired depending on their objectives.  Ransomware is about extortion, so in this case their goal was apparently to disrupt operations to apply pressure to their targets to pay the ransom quickly, and I'm sure that more than one of the targets ended up paying as they often unfortunately do when these incidents occur.

Link to post
Share on other sites
Doc396

Doc396

Posted
  • Author
Posted

I ask specifically about the Version of Ransomware, as our information is that it comes with a Validated Certificate, which allows it to bypass most Anti Virus and Malware systems.  We received specific Signature file information we had to load in to our Protection software last week as it was not able to detect this version of Ransomware.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

There are different ways that the infection can be delivered. If a dropper is able to bypass detection and get it onto the system the behavior should also be detected and prevented. 

That said, practicing safe computing is a very important part of protecting systems.

Ensure users obtain education and training on subjects about fake and phishing scam emails, not clicking on email links, be careful when browsing, use an Adblocker, use two-factor authentication, don't install unknown software. Keep patches for the computer up to date, the same with plugins such as Java.
Keep your security software up to date at all times
Make sure you always have a validated backup of your data https://forums.malwarebytes.org/index.php?/topic/136226-backup-software/

 

Help Secure your browsers

Please install uBlock Origin for your browsers to better protect your system

FireFox, ChromeOpera , SafariMicrosoft Edge
AdBlock for Internet Explorer

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
 


 

Link to post
Share on other sites
exile360

exile360

Posted
Posted
11 hours ago, Doc396 said:

I ask specifically about the Version of Ransomware, as our information is that it comes with a Validated Certificate, which allows it to bypass most Anti Virus and Malware systems.  We received specific Signature file information we had to load in to our Protection software last week as it was not able to detect this version of Ransomware.

Just to add a bit of info that may be useful here; Malwarebytes doesn't whitelist any files based on certificates or signatures.  They learned a long time ago that signatures can be spoofed and one of the most common practices for years has been to replicate legitimate Microsoft file signatures and certificates to bypass detection, so Malwarebytes will actually deliberately target objects which it knows are not legitimate Microsoft files if they attempt to use Microsoft file information and/or certificates (and the same goes for other certificates, not just Microsoft's; it's just that Microsoft's are the most commonly used since it allows the bad guys to try and trick anti-malware tools and users into believing their malware files are a part of the OS).  So basically, the behavior of trying to spoof legitimate files would actually make it more likely for a threat to be targeted and detected by Malwarebytes.  It's one of those behaviors that Malwarebytes looks for in new/unknown threats.

Link to post
Share on other sites
Cavehomme

Cavehomme

Posted
Posted
On 3/28/2019 at 5:56 AM, exile360 said:

Just to add a bit of info that may be useful here; Malwarebytes doesn't whitelist any files based on certificates or signatures.  They learned a long time ago that signatures can be spoofed and one of the most common practices for years has been to replicate legitimate Microsoft file signatures and certificates to bypass detection, so Malwarebytes will actually deliberately target objects which it knows are not legitimate Microsoft files if they attempt to use Microsoft file information and/or certificates (and the same goes for other certificates, not just Microsoft's; it's just that Microsoft's are the most commonly used since it allows the bad guys to try and trick anti-malware tools and users into believing their malware files are a part of the OS).  So basically, the behavior of trying to spoof legitimate files would actually make it more likely for a threat to be targeted and detected by Malwarebytes.  It's one of those behaviors that Malwarebytes looks for in new/unknown threats.

Just catching up and browsing, very informative answer, thanks Exile.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept