Expert Blog

Ransomware 'LockerGoga' wreaks havoc on Norway's Norsk Hydro

LockerGoga hits one of the world’s largest aluminum producers

Aluminum giant Norsk Hydro has been hit by an attack that appears to have distributed ransomware to endpoints by using the company's own Active Directory services against it.

Oslo-based Hydro, which is Norway's second-largest employer, says the attack began Monday at a U.S. plant and spread to some of the other facilities it operates across 50 countries before being contained.

What Norsk Hydro had to say about LockerGoga:

"IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible".

“Yesterday was a hectic day for all of us and there was considerable uncertainty throughout our global organisation about how this malware could impact our people, business and customers,” Norsk Hydro’s chief financial officer, Eivind Kallevik, told a news conference in Oslo.

Talking about cyber Insurance, they said that “good and strong” cyber insurance policies are  in place with “reputable international insurance firms” that covered business interruptions.

Let's take a deeper look into this newly discovered strain of ransomware.

What is LockerGoga?

LockerGoga is highly evasive and sophisticated ransomware. It appears to detect the presence of a virtual machine environment of a sandbox, which most security vendors have in place for detecting zero-day anomalies. LockerGoga is an advanced type of ransomware as it has the capability to delete itself from the filesystem, in that way trying to avoid sample collection.

Furthermore, due to the absence of custom and complex capabilities such as command and control servers and beaconing, it stays dormant during the detection phase.

LockerGoga’s code is digitally signed using various valid certificates — Alisa Ltd., Kitty’s Ltd., and Mikl Limited.

Using a valid code signer certificate, the system could let the ransomware in  because most endpoint protection systems would let pass such a PE file. These certificates have since been revoked.

LockerGoga doesn’t send out any network traffic, which enables it to sidestep network-based defences.

LockerGoga also has routines that can evade sandboxes and virtual machines (VMs). The main process thread for some of LockerGoga’s variants, for example, sleeps over 100 times before it executes. This is a technique used by various ransomware families and other threats, such as those used in targeted attacks. There are also some variants of LockerGoga that evade machine learning-based detection engines. Verification of these anti-sandbox and anti-machine learning capabilities in particular variants is still underway at various security vendors and threat hunting research teams.

How does LockerGoga work?

LockerGoga’s encryption process is instance-based. This means that the ransomware spawns one process for each file that it encrypts.

Some variants, however, encrypt more than one file per spawned process. LockerGoga encrypts documents and PDFs, spreadsheets and PowerPoint files, database files, and videos, as well as JavaScript and Python files.

Here are some of the file extensions that LockerGoga targets to encrypt: .doc, .dot, .docx, .docb, .dotx, .wkb, .xlm, .xml, .xls, .xlsx, .xlt, .xltx, .xlsb, .xlw, .ppt, .pps, .pot, .ppsx, .pptx, .posx, .potx, .sldx, .pdf, .db, .sql, .cs, .ts, .js, .py.

Some of the variants of LockerGoga have certain parameters that include, but are not limited to: Encrypting a specific file, erasing a file, and even encryption of all file types.

LockerGoga Ransomware .txt note and bitcoin payment request

At the end of the encryption phase, a file called README-NOW.txt is dropped inside the filesystem. The text informs recipients that their data has been encrypted. The message claims that a special decoder is required to restore the data and warns that any attempts to use third-party software to do so will lead to “irreversible destruction” of the data. The message goes on to provide links for the ransomware victims to use to find out how much they are required to pay in bitcoin for the decryption tool.

 LockerGoga ransom note

Only 25 security out of 69 vendors deemed LockerGoga as 'malicious'

Key highlights from VirusTotal's dashboard and what it had to say after 19 hours of the first reported sample of LockerGoga, shows that out of the 69 submitted samples only 25 security vendors deemed it as ‘malicious’.

 LockerGoga Ransomware VirustotalOnly 1 certificate authority had revoked the code signer certificate used to digitally sign the PE file.

You can view file the above on VirusTotal its website.

How to prevent LockerGoga ransomware from hitting you?

While 100% prevention is yet to be achieved, you can however start today by fortifying your defences with the basic security hygiene:

Keep the systems updated and back-up your files regularly

Keep systems and applications updated. Attackers target them and use it as a backdoor into your ecosystem.

Enforce a Zero Digital Trust framework

Embrace and implement the principle of least access. You can read more about this in a blog I posted last week about establishing the Zero Trust Framework.

Security is a necessity and not a luxury

Enforce a unified and cohesive security framework at all levels and not only at the perimeter.

Security Awareness

Train yourself and employees about cyber security best practices. It's important to communicate to employees how LockerGoga works and that they need to be cautious.

We at Infradata can help you with our cyber security assessment, where we give many  industry vertical examples to learn from.  Throughout our Cyber Security services and solutions, our cyber security experts employ tried and tested techniques, industry best practices and the best of commercial and proprietary technologies to identify, monitor, and analyze information-related vulnerabilities effectively, and to help determine methods to manage or resolve data security risks. 

Kunal Biswas - March 21 2019

Share this page:

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here.