Home » Security Bloggers Network » Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro

Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro

It has been reported today that Norsk Hydro either switched to manual mode or temporarily stopped aluminum production at several plants following a cyberattack. The Norwegian National Security Authority and local media in Norway describe the incident as a ransomware attack by a malware called LockerGoga. The attack has apparently brought the company’s IT systems to a standstill.

Given the significance of this attack, Nozomi Networks Labs has conducted a preliminary evaluation of LockerGoga. Read on to learn about this ransomware and our research team’s assessment of it.

Norsk Hydro is one of the world’s largest aluminum producers. Some of its facilities have been impacted by a ransomware attack, which caused outages or a switch to manual control systems. Image courtesy of Norsk Hydro.

Ransomware Attack Impacts Aluminum Production

According to media reports, the malware attack began on the evening of Monday, March 18^th, Oslo time (UTC + 1). On March 19^th, the company’s website was not available and production impacts had been reported:

• Potlines, which monitor molten aluminum, and need to be kept running 24 hours a day, had been switched to manual mode
• Some factories have been forced to halt production
• Several metal extrusion plants have been closed
• At certain facilities, some computer systems are unavailable, and printed orders are being fulfilled
• Power plants are functioning normally
• No safety-related incidents have been reported

 What is the LockerGoga Ransomware?

Nozomi Networks Labs has conducted a preliminary analysis of a LockerGoga sample with the SHA256:

The ransomware can encrypt files with any of the specific extensions listed below:

The extension types indicate that the main goal of the threat actor is to encrypt files containing important data for users. In fact, at the end of the encryption phrase, a file called README-NOW.txt is dropped inside the filesystem containing the following message:

Greetings!

There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.

To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.

To get information on the price of the decoder contact us at:
AbbsChevis@protonmail.com
IjuqodiSunovib98@o2.pl
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security

The LockerGoga malware encrypts many file types and presents its ransom demands in the READ.ME file shown above.

The message states that in order to get the files back, the user is forced to pay a ransom using the cryptocurrency Bitcoin. 

How does LockerGoga Work?

The malware encrypts files with the targeted extensions and then drops the ransom note in the filesystem, informing users about the steps required to get the files back. This is a classic approach used by most ransomware malware.

The malware does not have the capability to spread to other targets, but it does appear to use some anti-analysis techniques to avoid detection by security analysts. For example, it seems to detect the presence of a Virtual Machine and has the capability to delete itself from the filesystem in an effort to avoid sample collection.

Because the threat actors did not add any custom or complex capabilities to the malware code (C&C, DNS beaconing, etc.), we can assume that its intended impact is disruption, rather than espionage.

Some researchers have suggested that the attackers may have used Active Directory as a mechanism for spreading the malware. A possible scenario (confirmed by NorCERT):

• The threat actors were able to infect a system that was registered in the Domain Admin Group of the target organization
• The malicious executable was placed in the Netlogon directory so that it could be automatically propagated to every Domain Controller
• Many firewalls accept Active Directory information by default

The Nozomi Networks Labs research team is continuing to investigate LockerGoga. We anticipate providing more information in the near future.

How to do you know if you’re infected with LockerGoga? How do you get rid of it?

You can identify an infection because the targeted files will be encrypted and the file extension “.locked “ will be appended at the end of the filenames. 

Currently, the only known way to remove LockerGoga from your system is to restore from backup.

For Nozomi Networks customers, an update to our OT ThreatFeed, available in the next 12 – 24 hours, will include the capability to detect the malware.

Norsk Hydro Utilizes Innovative Communications Outreach as Part of Incident Response

Unlike many companies who didn’t revealed that they were subject to a cyberattack for an extended period of time, Norsk Hydro has taken a completely different approach. They quickly created a live stream briefing on the attack and are providing regular updates on their Facebook channel. 

Attacks on Industrial Systems Are Reality, Not Fantasy 

The attack on Norsk Hydro is just the latest to hit the industrial sector, carrying the potential for a significant financial impact. Other examples include:

• In 2012, a malware attack cost Saudi Aramco approximately $1 billion in recovery efforts and required replacement of 35,000 damaged computers.
• The 2017, the NotPetya attack resulted in $10 billion in damages to supply chain companies worldwide, according to the White House. For example, costs to the pharmaceutical company Merck were pegged at $870 million. 

To minimize the chance that your system will be impacted by LockerGoga, we suggest:

• Communicating with employees about ways to recognize a phishing email, and what to do if they think they received one
• Ensuring systems have current back-ups
• Monitoring your systems with solutions that rapidly identify malware, indicators of compromise and behavioral anomalies

I urge you to stay tuned for further updates on LockerGoga. Subscribing to Nozomi Networks Labs notifications, via the link below, will ensure that you receive updates on this and other important Nozomi Networks Labs research.

Related Links

• BBC.com: Huge aluminium plants hit by ransomware attack
• Bloomberg.com: Big Norwegian Aluminum Producer Suffers Extensive Cyber Attack
• Reuters.com: Aluminum maker Hydro battles to contain ransomware attack
• Bleepingcomputer.com: New LockerGoga Ransomware Allegedly Used in Altran Attack
• PCrisk.com: LockerGoga ransomware removal instructions
• Webpage: Nozomi Networks Labs
• Webpage: OT ThreatFeed