Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/27/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

6 Things To Know About the Ransomware That Hit Norsk Hydro

In just one week, 'LockerGoga' has cost the Norwegian aluminum maker $40 million as it struggles to recover operations across Europe and North America.

LockerGoga - the malware that recently disrupted operations at Norwegian aluminum company Norsk Hydro - is the latest example of the rapidly changing nature of ransomware attacks.

The March 19 attack impacted critical operations in several of Hydro's business areas across Europe and North America. The attack forced the aluminum maker to resort to manual operations at multiple plants. It crippled production systems belonging to Hydro's Extruded Solution group in particular, resulting in temporary plant closures and operational slowdowns that are still getting only in the process of getting restored.

In two updates this week, Norsk Hydro described the attack as so far costing it about $40 million.

The attack comes amid an overall decline in ransomware campaigns and highlights what security experts say is a shift to more narrowly focused, targeted ransomware intrusions. "Ransomware as a generic threat family is absolutely on the decline," says Rik Ferguson, vice president security research at Trend Micro.

Ransomware-related events have declined 91% year over year and the number of new ransomware families in the marketplace has declines 32%, he says."[But] those players still in the game are the more talented ones still seeking to innovate on this technique, to find new victim populations, to gain greater leverage, and to sow greater disruption and reap consequentially larger rewards."

Some examples of groups using ransomware in this manner include Pinchy Spider, the group behind the GandCrab ransomware family; Boss Spider, the authors of SamSam; Indrik Spider the threat actor using BitPaymer; and Grim Spider, the operators of Ryuk. In most cases the newer attacks are notable not necessarily because of how sophisticated the ransomware tools are, but because of how they are being used.

Here's a look at the most notable features and capabilities of LockerGoga:

1. LockerGoga changes passwords.

Security researchers are still not sure how the attackers are initially infecting systems with LockerGoga, though several believe that spear-phishing is the most likely scenario.

Once LockerGoga infects a system, it changes all the local user account passwords to '[email protected]' before attempting to boot local and remote users out of the system, Ferguson says. The password change complicates local intervention processes. It also "affects any system services using local accounts running on servers, sending availability ripples throughout the targeted organization," Ferguson says.

F-Secure, however, described LockerGoga as only changing administrator account passwords to '[email protected]'.

2. It forcibly logs victims out of infected systems.

Early versions of LockerGoga merely encrypted files and other data on infected systems and presented victims with a note demanding a ransom in exchange for the decryption keys. Newer versions of the malware have included a capability to forcibly log the victim out of an infected system and remove their ability to log back in as well.

"The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands," Cisco Talos noted in a blog. This capability makes newer versions of LockerGoga destructive in nature, the vendor said.

3. It has no use for the network.

Unlike some other ransomware families, LockerGoga does not rely on the network for command and communications, nor to generate encryption keys. "In fact, LockerGoga disdains the network to such an extent that it also attempts to locally disable all network interfaces," Ferguson says. The goal is "to further isolate the affected computer and to complicate recovery, necessitating direct local intervention."

4. It doesn't self-propagate (yet).

LockerGoga has no obvious worm-like capabilities for self-propagation since it does not rely on the network. Security researchers from Palo Alto Networks' Unit 42 group said they have observed LockerGoga moving around a compromised network via the server message protocol (SMB). That "indicates the actors simply manually copy files from computer to computer," the vendor said in a blog Tuesday.

However, recent additions and updates to the malware since it first surfaced in January suggest that the authors may be enabling a network capability. As an example, the security vendor pointed to the addition of WS2_32.dll processes for handling network connections and the use of undocumented Windows API calls.

The additions suggest "the developers are building in [a] network capability for the ransomware which could be used for Command and Control, or network self-propagation capabilities," says Ryan Olson, vice president of threat intelligence at Unit 42 at Palo Alto Networks.

The use of the undocumented Windows APIs demonstrates a relatively high degree of technical sophistication and familiarity with Windows internals, he says. "The capabilities that we see for possible C2 or network self-propagation could make this a more dangerous kind of ransomware in the future," Olson notes.

5. It appears designed for targeted attacks.

With no self-propagation or use of the network, LockerGoga appears to built for targeted attacks.

The code—at least initially—was digitally signed with valid certificates from at least three organizations. Those certificates have since been revoked, says Trend Micro's Ferguson.

The ransomware also incorporates techniques that have been designed to evade sandboxing and machine learning based detection mechanisms, he says.

"The main process thread for some of LockerGoga's variants, for example, sleeps over 100 times before it executes," Trend Micro said in a blog analyzing the malware.

One scenario for which the ransomware appears designed is for when attackers have already gained some level of access within an organization, Ferguson says. An example is where an attacker might have access to the Active Directory infrastructure "and are able to deploy the ransomware in advance, across the affected estate, before triggering the encryption routine," he says.

6. The authors have been trying to pass off LockerGoga as CryptoLocker.

Christopher Elisan, director of intelligence at Flashpoint, says the authors of LockerGoga appear to have gone to some lengths to pass off the malware as a version of the notorious CryptoLocker ransomware. LockerGoga uses Crypto++, an open source crypto library and newer versions even use "crypto-locker" as the project folder name.

There is also some research showing LockerGoga containing bugs in its code, Elisan adds. "If this is the case, it makes [LockerGoga] more dangerous for victimized organizations because any attempt to decrypt the files even after payment of ransom might not be successful due to buggy encryption."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
4/9/2019 | 3:13:41 AM
Different scales
It is essential to know that attacks do not often target finances alone. Sometimes their intention is just to destroy or at least slow down operations. This is basically the reason why we need to stop any potential attacks regardless of their individual scale before they can even hit.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/1/2019 | 3:43:26 PM
Re: Pending Review
Testing a plan has a real purpose beyond finding out what works and does not work.  These are critical of course but i will guarantee you that making such discoveries at 2:30 AM when nobody is thinking is FAR harder than finding out in the afternoon under a planned environment.  I'm not awake at that hour.  Nobody is.  And when you have real work to do make sure it is a known variable.  Because if it is not tested, then mistakes will happen and a recovery plan can destroy even more material than intended.   Or make it impossible even to recover.  At 2:30 am I am on a serious coffee burn!!!!
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:29:42 PM
Re: Pending Review
restore NAS's Kill the power to the building to insure that the on-site generator kicks in and the auto cut-over operates nominally. Yes. Testing the plan is important. Things do not go the way planned.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:28:08 PM
Re: More Definitive Security Required
fileless attack protection and a full-scale memory defense. It sounds like fileless attacks are becoming common. Good point.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:27:07 PM
Re: Pending Review
I have said this a thousand times here. HAVE A PLAN, TEST AND UPDATE. That makes sense. Another important is to keep it updated.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:25:11 PM
Re: Pending Review
TEST the plan ensures that staff knows what they ARE doing This is a good advice. If it does not work when you need it it is too late.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:24:10 PM
Re: Pending Review
Disaster Recovery plan. Business continuity. Your six points do not address this one. BC should play role in all incidents, most organizations do not have one unfortunately.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:22:45 PM
AD
An example is where an attacker might have access to the Active Directory infrastructure Once you ave AD access you can even deploy ransomware to other part of the network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:20:25 PM
Copy files
"indicates the actors simply manually copy files from computer to computer," They would need network interface for that to work.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:18:16 PM
re-imaging
The goal is "to further isolate the affected computer and to complicate recovery, necessitating direct local intervention." This beings up image to my mind. Less about recovery more about re-imaging.
Page 1 / 2   >   >>
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .