:: Deepquest ::

LockerGoga ransomware looks for and loads a DLL named “wow64log.dll” in WindowsSystem32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. Four processes are created. For instance, there is “imtvknqq9737.exe” running under AppDataLocalTemp, the process name is “imtvknqq” plus an appended random number. Our exploit DLL will simply display a Win32API message box and call exit(). The exploit DLL must export “InterlockedExchange” function or it fails with an error. We do not need to rely on hash signature or third-party products as the malware’s own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill as the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.