Advisory ID: ngCERT-2025-100003
SUMMARY
ngCERT is aware of LockGoga, MegaCortex, and Nefilim, sophisticated and hybrid ransomware variants which have been active from 2019-2021, and linked to a threat actor identified as deadforz with aliases “Boba,” “msfv,” and “farnetwork. These ransomware strains have targeted critical infrastructure, manufacturing, healthcare, and transportation sectors in several countries across the globe, resulting in the loss of millions of US dollars. This underscores the need for Organizations to review their systems for indicators of compromise (IoCs) and strengthen defences against potential affiliate-driven attacks.
Damage: Critical
Probability: High
Platform(s): Microsoft Windows, Dell Firmware
DESCRIPTION
Notably, LockGoga targets industrial systems by utilizing Advanced Encryption Standard (AES) encryption, and appends ".locked" to files. Initial access is achieved through phishing or stolen Remote Desktop Protocol (RDP) credentials. Thereafter, the malware is dropped in the %TEMP% folder, which disables networks, clears disk space with cipher.exe, encrypts files and demands email-based payment. Also, MegaCortex is a hybrid ransomware used to target enterprises and possesses anti-analysis capabilities. Its attack chain involves initial access through phishing, SQL injection, or RDP exploits. Next, it uses Cobalt Strike for persistence, runs kill.bat to evade antivirus detection, propagates via Qakbot, and demands multi-million-dollar ransoms. Furthermore, Nefilim uses double extortion with AES-128 or Rivest–Shamir–Adleman (RSA-2048) cryptosystem (a family of public-key cryptosystems used for secure data transmission). It also appends ".NEFILIM" or ".DERZKO" to files, while exploiting CVE-2019-19781 (a critical vulnerability in Citrix Application Delivery Controller (ADC) and Gateway products, allowing unauthenticated attackers to execute arbitrary code remotely via a directory traversal flaw). Threat actors also exploit RDP or phishing for initial access. Further, Mimikatz and PsExec/WMI are employed for credential dumping, lateral movement within networks, privilege escalation, and persistence before exfiltrating data to clouds like MEGAsync. Thereafter, the criminals threaten to leak sensitive information.
INDICATORS OF COMPROMISE
The following are observed Indicators of Compromise IoCs:
1. LockGoga: SHA256 hashes in Fortinet/Unit42 reports; %TEMP% execution, cipher.exe use, ".locked" extensions; email-based ransom demands.
2. MegaCortex: Hashes in Heimdal reports; kill.bat, Cobalt Strike beacons, RDP port 3389 activity; Qakbot-related traffic.
3. Nefilim: Delphi-based samples; Mimikatz dumps, PsExec/WMI usage, MEGAsync exfiltration; connections to known exfil domains; Citrix exploit attempts.
CONSEQUENCES
Successful attacks by LockGoga, MegaCortex, and Nefilim ransomware variants could result in:
- Disruption of operations, supply chain interruptions and possible Denial of Service (DoS) attacks.
- Financial losses due to ransom payments, recovery costs and General Data Protection Regulation (GDPR) fines.
- Reputational damage due to data exposure from possible dark web leaks and the possibility of secondary extortion.
- National security risks occasioned by breaches to defence and sensitive critical infrastructure.
SOLUTION/MITIGATION
ngCERT recommends that organisations:
- Patch vulnerabilities such as CVE-2019-19781 and RDP, enforce Multifactor authentication, implement Zero Trust and least-privilege access to initial access.
- Deploy Endpoint Detection and Response (EDR) for behavioural monitoring such as process injection, lateral movement, credential dumping and cloud exfiltration.
- Maintain offline, immutable backups (3-2-1 rule); test recovery quarterly; avoid ransom payments and report to ngCERT in the event of an attack, to ensure speedy recovery.
- Block IoCs at firewalls.
- Conduct regular phishing awareness training for all staff.
HYPERLINK