LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Sigma rule (View on GitHub)
1title: LockerGoga Ransomware Activity
2id: 74db3488-fd28-480a-95aa-b7af626de068
3status: stable
4description: Detects LockerGoga ransomware activity via specific command line.
5references:
6 - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
7 - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
8 - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
9author: Vasiliy Burov, oscd.community
10date: 2020/10/18
11modified: 2023/02/03
12tags:
13 - attack.impact
14 - attack.t1486
15 - detection.emerging_threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains: '-i SM-tgytutrc -s'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: critical
References
-
I wanted to see the real ransomware in the action, so I got LockerGoga sample from app.any.run. Then I have run exe file with opened…
Read More -
We recently observed a new ransomware variant (which our products detect as Trojan.TR/LockerGoga.qnfzd) circulating in the wild. In this post, we’ll provide some technical details of the new variant’s functionalities, as well as some Indicators of Compromise (IOCs). Overview Compared to other ransomware variants that use Window’s CRT library functions, this new variant relies heavily […]
Read More
Related rules
- Potential Conti Ransomware Activity
- Potential Dtrack RAT Activity
- Potential Maze Ransomware Activity
- Suspicious Multiple File Rename Or Delete Occurred
- Suspicious Creation TXT File in User Desktop