{ "Event": { "analysis": "1", "date": "2019-03-21", "extends_uuid": "", "info": "[Threat Intel] How Lockergoga took down Hydro \u2014 ransomware used in targeted attacks aimed at big business", "protected": false, "publish_timestamp": "1772418860", "published": true, "threat_level_id": "2", "timestamp": "1772418858", "uuid": "9cfcdb0f-da19-45be-af5c-c0cd3541d7ab", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Medium\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"LockerGoga\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Manufacturing\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#dff146", "local": false, "name": "IT-impact-ICS", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772245213", "to_ids": false, "type": "link", "uuid": "11cc3bfb-32a1-435b-acc3-c1c0f97a372a", "value": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337983", "uuid": "82d7592c-9866-4ccc-bdc4-bc84ab9193d6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337983", "to_ids": true, "type": "md5", "uuid": "bcd25712-f1bf-4a1d-9c89-648b24fc4b4f", "value": "16bcc3b7f32c41e7c7222bf37fe39fe6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772337981", "to_ids": true, "type": "sha1", "uuid": "220de962-dd21-496e-bbef-addd93d6dc12", "value": "a25bc5442c86bdeb0dec6583f0e80e241745fb73", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772337981", "to_ids": true, "type": "sha256", "uuid": "6d610d56-9770-4269-be2f-bb7fcf66ff34", "value": "eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772337955", "to_ids": true, "type": "ssdeep", "uuid": "55b03b20-68a2-4f79-a76a-97176fac1e77", "value": "24576:uj/6CtkHRos9l+zan4Q6eQqF5ZgQibE2zkMiJHic9OuTw258tox6T9G0SKoRl:A/NtkHRos9l+zan4QTB/2zkPtBq2itoP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772337955", "to_ids": false, "type": "size-in-bytes", "uuid": "b78eb5f3-8fd7-470f-aa7b-2f20d2c2aab1", "value": "1254264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772337955", "to_ids": true, "type": "vhash", "uuid": "4fec4bdf-ea2a-4ae9-bb45-9a4163f4daf9", "value": "016056655d551560e8z9a7z37z2019z27z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772337955", "to_ids": true, "type": "filename", "uuid": "32c1687d-4144-4247-ae80-fd22b5017ef6", "value": "yxugwjud" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772337955", "to_ids": false, "type": "text", "uuid": "c1e7e591-9d2a-4cd4-8f9e-e7fcda1e588e", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/LockerGoga\nVT Total Detection:64/72\nFirst Submission:2019-03-08T12:43:50.000000+00:00\nLast Submission:2026-01-28T07:25:36.000000+00:00" } ] } ] } }