This paper contains an analysis of the LockerGoga ransomware that was used in the range of targeted cyberattacks in the first half of 2019 against Norsk Hydra - a world top 5 aluminum manufacturer, as well as the US chemical enterprises Hexion, and Momentive - those companies are only the tip of the iceberg that reported the attack to the public. The ransomware was executed by attackers from inside a corporate network to encrypt the data on enterprise servers and, thus, taking down the information control systems. The intruders asked for a ransom to release a master key and decryption tool that can be used to decrypt the affected files. The purpose of the analysis is to find out tactics and techniques used by the LockerGoga ransomware during the cryptolocker attack as well as an encryption model to answer the question if the encrypted files can be decrypted with or without paying a ransom. The scientific novelty of the paper lies in an analysis methodology that is based on various reverse engineering techniques such as multi-process debugging and using open source code of a cryptographic library to find out a ransomware encryption model.
[1]
Dan Boneh,et al.
TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM
,
1999
.
[2]
Moti Yung,et al.
Cryptovirology: extortion-based security threats and countermeasures
,
1996,
Proceedings 1996 IEEE Symposium on Security and Privacy.
[3]
Adam L. Young.
Building a Cryptovirus Using Microsoft's Cryptographic API
,
2005,
ISC.
[4]
Mihir Bellare,et al.
Optimal Asymmetric Encryption
,
1994,
EUROCRYPT.
[5]
Morris J. Dworkin,et al.
Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
,
2012
.