https://community.checkpoint.com/t5/Endpoint/LockerGoga-from-Norsk-Hydro-Analysis/m-p/49348#M3339 <P>#Edited# , a recording of the Threat Gazette Live session on the Norsk Hydro Cyber Attack and SandBlast Agent prevention for it is <A href="https://checkpoint.zoom.us/recording/share/XmvCnLRh7rLzWaqG4aAKOZ3FVHa6d7oxWJ7GqXCc_BmwIumekTziMw?startTime=1554130993000" target="_self">now available</A>.</P> <P>The ongoing Cyber Attack on Norsk Hydro is changing fronts, adding fraud attempts that are trying to leverage the still not fully operational enterprise, still suffering from a cyber attack that started on March 19th . For more details you can join&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/27376">@Marcel_Afrahim</a>&nbsp;and myself for the Threat Gazette Live on April 1st, scroll down for details.</P> <P>The following initial analysis by&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/27376">@Marcel_Afrahim</a>&nbsp;shows&nbsp;LockerGoga is using multi process operation, where each process encrypts a few files. This is done to bypass detection and work in parallel together with having a separate decryption key for every bunch, supposedly to make it harder to break.</P> <P>You can deep dive and analyze the malware yourself using its <A href="https://forensics.checkpoint.com/lockergoga/tree.html" target="_self">online SandBlast Agent forensic report</A>.</P> <P>Here is a view to the multi process using SandBlast Agent forensic report:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="100's processes.PNG" style="width: 421px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/569iE9B3A528C2ADC492/image-size/large?v=v2&amp;px=999" role="button" title="100's processes.PNG" alt="100's processes.PNG" /></span></P> <P>The main process doesn't try to move laterally, suggesting an initial dropper insert it. On execution it enumerates the files and executes a child process to encrypt each bunch. After that he will cut the computer communication.</P> <P><SPAN>Join Threat Gazette Live on April 1st to hear more, click a link for your preferred webinar time:</SPAN></P> <P><SPAN>Click to <A href="https://checkpoint.zoom.us/webinar/register/WN_eJeJ1d6YSPqBuToOiqs-MA" target="_blank" rel="noopener">Register</A></SPAN><SPAN> for the 8 a.m. GMT for EMEA and APAC</SPAN></P> <P><SPAN>Click to <A href="https://checkpoint.zoom.us/webinar/register/WN_7fSigqbUQAm3Hhh14OE35Q" target="_blank" rel="noopener">Register</A></SPAN> <SPAN>for the 11 a.m. EST for Americas</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks,</SPAN></P> <P><SPAN>Gadi</SPAN></P> Sun, 07 Apr 2019 08:13:00 GMT Gad_Naveh 2019-04-07T08:13:00Z https://community.checkpoint.com/t5/Endpoint/LockerGoga-from-Norsk-Hydro-Analysis/m-p/49348#M3339 <P>#Edited# , a recording of the Threat Gazette Live session on the Norsk Hydro Cyber Attack and SandBlast Agent prevention for it is <A href="https://checkpoint.zoom.us/recording/share/XmvCnLRh7rLzWaqG4aAKOZ3FVHa6d7oxWJ7GqXCc_BmwIumekTziMw?startTime=1554130993000" target="_self">now available</A>.</P> <P>The ongoing Cyber Attack on Norsk Hydro is changing fronts, adding fraud attempts that are trying to leverage the still not fully operational enterprise, still suffering from a cyber attack that started on March 19th . For more details you can join&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/27376">@Marcel_Afrahim</a>&nbsp;and myself for the Threat Gazette Live on April 1st, scroll down for details.</P> <P>The following initial analysis by&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/27376">@Marcel_Afrahim</a>&nbsp;shows&nbsp;LockerGoga is using multi process operation, where each process encrypts a few files. This is done to bypass detection and work in parallel together with having a separate decryption key for every bunch, supposedly to make it harder to break.</P> <P>You can deep dive and analyze the malware yourself using its <A href="https://forensics.checkpoint.com/lockergoga/tree.html" target="_self">online SandBlast Agent forensic report</A>.</P> <P>Here is a view to the multi process using SandBlast Agent forensic report:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="100's processes.PNG" style="width: 421px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/569iE9B3A528C2ADC492/image-size/large?v=v2&amp;px=999" role="button" title="100's processes.PNG" alt="100's processes.PNG" /></span></P> <P>The main process doesn't try to move laterally, suggesting an initial dropper insert it. On execution it enumerates the files and executes a child process to encrypt each bunch. After that he will cut the computer communication.</P> <P><SPAN>Join Threat Gazette Live on April 1st to hear more, click a link for your preferred webinar time:</SPAN></P> <P><SPAN>Click to <A href="https://checkpoint.zoom.us/webinar/register/WN_eJeJ1d6YSPqBuToOiqs-MA" target="_blank" rel="noopener">Register</A></SPAN><SPAN> for the 8 a.m. GMT for EMEA and APAC</SPAN></P> <P><SPAN>Click to <A href="https://checkpoint.zoom.us/webinar/register/WN_7fSigqbUQAm3Hhh14OE35Q" target="_blank" rel="noopener">Register</A></SPAN> <SPAN>for the 11 a.m. EST for Americas</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks,</SPAN></P> <P><SPAN>Gadi</SPAN></P> Sun, 07 Apr 2019 08:13:00 GMT https://community.checkpoint.com/t5/Endpoint/LockerGoga-from-Norsk-Hydro-Analysis/m-p/49348#M3339 Gad_Naveh 2019-04-07T08:13:00Z