Coding error in Lockergoga halts the ransomware even before performing encryption

• The use of a .lnk filepath contains a series of errors which halts the ransomware even before the encryption process.
• Researchers noted that creating a malformed ‘.lnk’ file can protect your systems against the execution of at least some samples of the Lockergoga ransomware.

LockerGoga, the ransomware that hit the aluminum giant Norsk Hydro and two other American chemical companies contains an error in its code that could allow victims to metaphorically ‘vaccinate’ their systems and halt the ransomware even before it starts encrypting files.

Security researchers from Alert Logic uncovered the coding error in the ransomware.

The big picture

Researchers described that the ransomware when dropped on to the host system, performs an initial reconnaissance scan to collect file lists before the encryption process begins.

• The file lists include a .lnk file extension, which is a shortcut used in Windows to link files.
• This .lnk file uses the built-in shell32 / linkinfo DLLs to resolve the ‘.lnk’ path.
• However, the .lnk filepath contains a series of errors which halts the ransomware even before the encryption process.

The researchers have discovered two conditions for the ‘.lnk’ file to halt the ransomware which are as follows:

• The ‘.lnk’ file has been crafted to contain an invalid network path
• The ‘.lnk’ file has no associated RPC endpoint

Worth noting - Researchers noted that creating a malformed ‘.lnk’ file can protect your systems against the execution of at least some samples of the Lockergoga ransomware.

“Of course, if ransomware has become resident on your system then there is still some exploit or misconfiguration which attackers are using to deliver this payload—and it’s of the utmost importance that that entry point is identified and closed as soon as possible,” researchers said in a blog.