Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

6 Things To Know About the Ransomware That Hit Norsk Hydro

In just one week, 'LockerGoga' has cost the Norwegian aluminum maker $40 million as it struggles to recover operations across Europe and North America.

LockerGoga - the malware that recently disrupted operations at Norwegian aluminum company Norsk Hydro - is the latest example of the rapidly changing nature of ransomware attacks.

The March 19 attack impacted critical operations in several of Hydro's business areas across Europe and North America. The attack forced the aluminum maker to resort to manual operations at multiple plants. It crippled production systems belonging to Hydro's Extruded Solution group in particular, resulting in temporary plant closures and operational slowdowns that are still getting only in the process of getting restored.

In two updates this week, Norsk Hydro described the attack as so far costing it about $40 million.

The attack comes amid an overall decline in ransomware campaigns and highlights what security experts say is a shift to more narrowly focused, targeted ransomware intrusions. "Ransomware as a generic threat family is absolutely on the decline," says Rik Ferguson, vice president security research at Trend Micro.

Ransomware-related events have declined 91% year over year and the number of new ransomware families in the marketplace has declines 32%, he says."[But] those players still in the game are the more talented ones still seeking to innovate on this technique, to find new victim populations, to gain greater leverage, and to sow greater disruption and reap consequentially larger rewards."

Some examples of groups using ransomware in this manner include Pinchy Spider, the group behind the GandCrab ransomware family; Boss Spider, the authors of SamSam; Indrik Spider the threat actor using BitPaymer; and Grim Spider, the operators of Ryuk. In most cases the newer attacks are notable not necessarily because of how sophisticated the ransomware tools are, but because of how they are being used.

Here's a look at the most notable features and capabilities of LockerGoga:

1. LockerGoga changes passwords.

Security researchers are still not sure how the attackers are initially infecting systems with LockerGoga, though several believe that spear-phishing is the most likely scenario.

Once LockerGoga infects a system, it changes all the local user account passwords to '[email protected]' before attempting to boot local and remote users out of the system, Ferguson says. The password change complicates local intervention processes. It also "affects any system services using local accounts running on servers, sending availability ripples throughout the targeted organization," Ferguson says.

F-Secure, however, described LockerGoga as only changing administrator account passwords to '[email protected]'.

2. It forcibly logs victims out of infected systems.

Early versions of LockerGoga merely encrypted files and other data on infected systems and presented victims with a note demanding a ransom in exchange for the decryption keys. Newer versions of the malware have included a capability to forcibly log the victim out of an infected system and remove their ability to log back in as well.

"The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands," Cisco Talos noted in a blog. This capability makes newer versions of LockerGoga destructive in nature, the vendor said.

3. It has no use for the network.

Unlike some other ransomware families, LockerGoga does not rely on the network for command and communications, nor to generate encryption keys. "In fact, LockerGoga disdains the network to such an extent that it also attempts to locally disable all network interfaces," Ferguson says. The goal is "to further isolate the affected computer and to complicate recovery, necessitating direct local intervention."

4. It doesn't self-propagate (yet).

LockerGoga has no obvious worm-like capabilities for self-propagation since it does not rely on the network. Security researchers from Palo Alto Networks' Unit 42 group said they have observed LockerGoga moving around a compromised network via the server message protocol (SMB). That "indicates the actors simply manually copy files from computer to computer," the vendor said in a blog Tuesday.

However, recent additions and updates to the malware since it first surfaced in January suggest that the authors may be enabling a network capability. As an example, the security vendor pointed to the addition of WS2_32.dll processes for handling network connections and the use of undocumented Windows API calls.

The additions suggest "the developers are building in [a] network capability for the ransomware which could be used for Command and Control, or network self-propagation capabilities," says Ryan Olson, vice president of threat intelligence at Unit 42 at Palo Alto Networks.

The use of the undocumented Windows APIs demonstrates a relatively high degree of technical sophistication and familiarity with Windows internals, he says. "The capabilities that we see for possible C2 or network self-propagation could make this a more dangerous kind of ransomware in the future," Olson notes.

5. It appears designed for targeted attacks.

With no self-propagation or use of the network, LockerGoga appears to built for targeted attacks.

The code—at least initially—was digitally signed with valid certificates from at least three organizations. Those certificates have since been revoked, says Trend Micro's Ferguson.

The ransomware also incorporates techniques that have been designed to evade sandboxing and machine learning based detection mechanisms, he says.

"The main process thread for some of LockerGoga's variants, for example, sleeps over 100 times before it executes," Trend Micro said in a blog analyzing the malware.

One scenario for which the ransomware appears designed is for when attackers have already gained some level of access within an organization, Ferguson says. An example is where an attacker might have access to the Active Directory infrastructure "and are able to deploy the ransomware in advance, across the affected estate, before triggering the encryption routine," he says.

6. The authors have been trying to pass off LockerGoga as CryptoLocker.

Christopher Elisan, director of intelligence at Flashpoint, says the authors of LockerGoga appear to have gone to some lengths to pass off the malware as a version of the notorious CryptoLocker ransomware. LockerGoga uses Crypto++, an open source crypto library and newer versions even use "crypto-locker" as the project folder name.

There is also some research showing LockerGoga containing bugs in its code, Elisan adds. "If this is the case, it makes [LockerGoga] more dangerous for victimized organizations because any attempt to decrypt the files even after payment of ransom might not be successful due to buggy encryption."

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
3/30/2019 | 2:27:07 PM
Re: Pending Review
I have said this a thousand times here. HAVE A PLAN, TEST AND UPDATE. That makes sense. Another important is to keep it updated.
User Rank: Ninja
3/30/2019 | 2:28:08 PM
Re: More Definitive Security Required
fileless attack protection and a full-scale memory defense. It sounds like fileless attacks are becoming common. Good point.
User Rank: Ninja
3/30/2019 | 2:29:42 PM
Re: Pending Review
restore NAS's Kill the power to the building to insure that the on-site generator kicks in and the auto cut-over operates nominally. Yes. Testing the plan is important. Things do not go the way planned.
User Rank: Ninja
4/1/2019 | 3:43:26 PM
Re: Pending Review
Testing a plan has a real purpose beyond finding out what works and does not work.  These are critical of course but i will guarantee you that making such discoveries at 2:30 AM when nobody is thinking is FAR harder than finding out in the afternoon under a planned environment.  I'm not awake at that hour.  Nobody is.  And when you have real work to do make sure it is a known variable.  Because if it is not tested, then mistakes will happen and a recovery plan can destroy even more material than intended.   Or make it impossible even to recover.  At 2:30 am I am on a serious coffee burn!!!!
User Rank: Apprentice
4/9/2019 | 3:13:41 AM
Different scales
It is essential to know that attacks do not often target finances alone. Sometimes their intention is just to destroy or at least slow down operations. This is basically the reason why we need to stop any potential attacks regardless of their individual scale before they can even hit.
<<   <   Page 2 / 2
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product&acirc;&euro;&trade;s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users.
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser.
PUBLISHED: 2021-06-16
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
PUBLISHED: 2021-06-16
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.