Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

6 Things To Know About the Ransomware That Hit Norsk Hydro

In just one week, 'LockerGoga' has cost the Norwegian aluminum maker $40 million as it struggles to recover operations across Europe and North America.

LockerGoga - the malware that recently disrupted operations at Norwegian aluminum company Norsk Hydro - is the latest example of the rapidly changing nature of ransomware attacks.

The March 19 attack impacted critical operations in several of Hydro's business areas across Europe and North America. The attack forced the aluminum maker to resort to manual operations at multiple plants. It crippled production systems belonging to Hydro's Extruded Solution group in particular, resulting in temporary plant closures and operational slowdowns that are still getting only in the process of getting restored.

In two updates this week, Norsk Hydro described the attack as so far costing it about $40 million.

The attack comes amid an overall decline in ransomware campaigns and highlights what security experts say is a shift to more narrowly focused, targeted ransomware intrusions. "Ransomware as a generic threat family is absolutely on the decline," says Rik Ferguson, vice president security research at Trend Micro.

Ransomware-related events have declined 91% year over year and the number of new ransomware families in the marketplace has declines 32%, he says."[But] those players still in the game are the more talented ones still seeking to innovate on this technique, to find new victim populations, to gain greater leverage, and to sow greater disruption and reap consequentially larger rewards."

Some examples of groups using ransomware in this manner include Pinchy Spider, the group behind the GandCrab ransomware family; Boss Spider, the authors of SamSam; Indrik Spider the threat actor using BitPaymer; and Grim Spider, the operators of Ryuk. In most cases the newer attacks are notable not necessarily because of how sophisticated the ransomware tools are, but because of how they are being used.

Here's a look at the most notable features and capabilities of LockerGoga:

1. LockerGoga changes passwords.

Security researchers are still not sure how the attackers are initially infecting systems with LockerGoga, though several believe that spear-phishing is the most likely scenario.

Once LockerGoga infects a system, it changes all the local user account passwords to '[email protected]' before attempting to boot local and remote users out of the system, Ferguson says. The password change complicates local intervention processes. It also "affects any system services using local accounts running on servers, sending availability ripples throughout the targeted organization," Ferguson says.

F-Secure, however, described LockerGoga as only changing administrator account passwords to '[email protected]'.

2. It forcibly logs victims out of infected systems.

Early versions of LockerGoga merely encrypted files and other data on infected systems and presented victims with a note demanding a ransom in exchange for the decryption keys. Newer versions of the malware have included a capability to forcibly log the victim out of an infected system and remove their ability to log back in as well.

"The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands," Cisco Talos noted in a blog. This capability makes newer versions of LockerGoga destructive in nature, the vendor said.

3. It has no use for the network.

Unlike some other ransomware families, LockerGoga does not rely on the network for command and communications, nor to generate encryption keys. "In fact, LockerGoga disdains the network to such an extent that it also attempts to locally disable all network interfaces," Ferguson says. The goal is "to further isolate the affected computer and to complicate recovery, necessitating direct local intervention."

4. It doesn't self-propagate (yet).

LockerGoga has no obvious worm-like capabilities for self-propagation since it does not rely on the network. Security researchers from Palo Alto Networks' Unit 42 group said they have observed LockerGoga moving around a compromised network via the server message protocol (SMB). That "indicates the actors simply manually copy files from computer to computer," the vendor said in a blog Tuesday.

However, recent additions and updates to the malware since it first surfaced in January suggest that the authors may be enabling a network capability. As an example, the security vendor pointed to the addition of WS2_32.dll processes for handling network connections and the use of undocumented Windows API calls.

The additions suggest "the developers are building in [a] network capability for the ransomware which could be used for Command and Control, or network self-propagation capabilities," says Ryan Olson, vice president of threat intelligence at Unit 42 at Palo Alto Networks.

The use of the undocumented Windows APIs demonstrates a relatively high degree of technical sophistication and familiarity with Windows internals, he says. "The capabilities that we see for possible C2 or network self-propagation could make this a more dangerous kind of ransomware in the future," Olson notes.

5. It appears designed for targeted attacks.

With no self-propagation or use of the network, LockerGoga appears to built for targeted attacks.

The code—at least initially—was digitally signed with valid certificates from at least three organizations. Those certificates have since been revoked, says Trend Micro's Ferguson.

The ransomware also incorporates techniques that have been designed to evade sandboxing and machine learning based detection mechanisms, he says.

"The main process thread for some of LockerGoga's variants, for example, sleeps over 100 times before it executes," Trend Micro said in a blog analyzing the malware.

One scenario for which the ransomware appears designed is for when attackers have already gained some level of access within an organization, Ferguson says. An example is where an attacker might have access to the Active Directory infrastructure "and are able to deploy the ransomware in advance, across the affected estate, before triggering the encryption routine," he says.

6. The authors have been trying to pass off LockerGoga as CryptoLocker.

Christopher Elisan, director of intelligence at Flashpoint, says the authors of LockerGoga appear to have gone to some lengths to pass off the malware as a version of the notorious CryptoLocker ransomware. LockerGoga uses Crypto++, an open source crypto library and newer versions even use "crypto-locker" as the project folder name.

There is also some research showing LockerGoga containing bugs in its code, Elisan adds. "If this is the case, it makes [LockerGoga] more dangerous for victimized organizations because any attempt to decrypt the files even after payment of ransom might not be successful due to buggy encryption."

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
3/30/2019 | 2:16:34 PM
"The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands," Interesting. What would be the purpose of attach in that case I wonder.
User Rank: Ninja
3/30/2019 | 2:14:13 PM
Ransomware-related events have declined 91% year over year and the number of new ransomware families in the marketplace has declines 32%, Some good news. May be we are becoming more carefull clicking the links anymore.
User Rank: Apprentice
3/28/2019 | 4:56:38 PM
Re: Pending Review
Second the off-site backup. Datto Box (cloud) might be one place to start. We do a "fire drill" every year - stress test UPS's, Restore servers from the cloud, restore desktops, restore NAS's Kill the power to the building to insure that the on-site generator kicks in and the auto cut-over operates nominally.

Desktops are backed up concurrently with timestamped histories

Same with servers.

It all goes out to the cloud.

We're a tiny little outfit. Others should try and do at least these things. Especially larger organizations.

I hope you all land on your feed at the firm. Good luck.
User Rank: Apprentice
3/28/2019 | 2:31:10 PM
More Definitive Security Required
Additionally, for critical industrial infrastructure we are finding success with a more effective application process and filesystem monitoring in conjunction with fileless attack protection and a full-scale memory defense.  
User Rank: Ninja
3/28/2019 | 9:00:48 AM
Re: Pending Review
Disaster Recovery plan.  Business continuity.  Your six points do not address this one.  After September 11, and I am a survivor of the south tower so I know something of the subject, my manager became a certified expert in this area.  It is crucial that IT departments have a plan, test it and update it every six months.  It is crucial to have offsite, rotating backup media.  It is crucial to consider that at 2:30 am working on a data center restoration is a mental nightmare.  TEST the plan ensures that staff knows what they ARE doing.  Our data tapes for Aon went offsite on September 10 and thus we had our portion of the network up FAR faster than Risk services.  They were months recovering data.  Now the destruct of a data center is AS bad as ransomware if not worse if not addressed.  So once again plans gone bad and rebuild of everything seems the only process known.  I have said this a thousand times here. HAVE A PLAN, TEST AND UPDATE. 
<<   <   Page 2 / 2
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component &quot; /admin.php?action=page.&quot;
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component &quot; /admin.php?action=images.&quot;
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.