LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Sigma rule (View on GitHub)
1title: LockerGoga Ransomware Activity
2id: 74db3488-fd28-480a-95aa-b7af626de068
3status: stable
4description: Detects LockerGoga ransomware activity via specific command line.
5references:
6 - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
7 - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
8 - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
9author: Vasiliy Burov, oscd.community
10date: 2020/10/18
11modified: 2023/02/03
12tags:
13 - attack.impact
14 - attack.t1486
15 - detection.emerging_threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains: '-i SM-tgytutrc -s'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: critical
References
Related rules
- Potential Conti Ransomware Activity
- Potential Dtrack RAT Activity
- Potential Maze Ransomware Activity
- Suspicious Multiple File Rename Or Delete Occurred
- Suspicious Creation TXT File in User Desktop