LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Sigma rule (View on GitHub)
1title: LockerGoga Ransomware Activity
2id: 74db3488-fd28-480a-95aa-b7af626de068
3status: stable
4description: Detects LockerGoga ransomware activity via specific command line.
5references:
6 - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
7 - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
8 - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
9author: Vasiliy Burov, oscd.community
10date: 2020-10-18
11modified: 2023-02-03
12tags:
13 - attack.impact
14 - attack.t1486
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains: '-i SM-tgytutrc -s'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: critical
References
-
I wanted to see the real ransomware in the action, so I got LockerGoga sample from app.any.run. Then I have run exe file with opened…
Read More -
We recently observed a new ransomware variant (which our products detect as Trojan.TR/LockerGoga.qnfzd) circulating in the wild. In this post, we’ll provide some technical details of the new variant’s functionalities, as well as some Indicators of Compromise (IOCs). Overview Compared to other ransomware variants that use Window’s CRT library functions, this new variant relies heavily […]
Read More -
The right decisions require the right data. That's why Carbon Black is here to help you see targeted threats and prevent repeated attacks.
Read More
Related rules
- BlueSky Ransomware Artefacts
- Potential Conti Ransomware Activity
- WannaCry Ransomware Activity
- AWS EC2 Disable EBS Encryption
- Microsoft 365 - Potential Ransomware Activity