By Allan Liska on March 20, 2019
Norwegian aluminum company Norsk Hydro was hit by a ransomware attack on Tuesday, March 19, 2019. According to the Norwegian National Security Authority (NSM), the attackers used LockerGoga, a relatively new strain of ransomware first discovered in January.
According to Reuters, the attack was severe enough to disrupt parts of production at Norsk Hydro. On Tuesday morning, employees were prevented from logging into the network for fear of spreading the ransomware, while the IT staff was attempting cleanup.
Findings from Recorded Future’s Insikt Group indicate that the first known outbreak of LockerGoga was in late January of this year, when it was used against Altran, a French engineering consultancy. During this first campaign, the LockerGoga malicious binary was digitally signed by a previously unknown code signing authority, MIKL LIMITED. The trust for this certificate was revoked following the Altran attack. The new samples relating to the Norsk Hydro attack appear to be signed by ALISA LTD — again, a relatively unknown entity. Trust for this certificate has also now been revoked.
The LockerGoga ransomware itself is not very sophisticated, according to analysis published by Bleeping Computer. Deployment of the ransomware is manual, with the attackers behind LockerGoga most likely using Active Directory to spread the ransomware. Initial infection into Norsk Hydro is suspected to be via a phishing campaign, but that has not been confirmed as of this writing. At this time there is no decryption tool for LockerGoga. The cure for LockerGoga at this point appears to be good protection against phishing attacks, and keeping antivirus and other endpoint protections up to date.
Once inside a target network, the team behind LockerGoga is using techniques similar to the attackers behind Ryuk, CrySIS, SamSam, and other recent successful ransomware campaigns: deploying the ransomware in multiple places on the target network to disrupt operations, cause the most damage, and force the targeted organization to pay the ransom — although the skillset of the LockerGoga team seems to be more shallow than similar teams.
However, the team at Norsk Hydro has stated they will not pay the ransom; instead, they are restoring systems from backup.
These types of disruptive attacks are becoming more common, with the most famous one being the SamSam attack on Atlanta last year. Recent attacks on the Boston Public Defender’s Office, Orange County in North Carolina, and shipping company COSCO have all had a disruptive effect on services.
There are a million reasons not to pay the ransom in these types of attacks. Paying the ransom only helps the criminals to produce better malware, and like a bad romance, it may encourage them (or other attackers) to strike a target again, knowing that they are likely to pay the ransom. This happened with the Colorado Department of Transportation in 2018.
The costs to restore dozens or hundreds of systems are enormous, however, and that doesn’t take into account all of the associated incident response costs. From a cost perspective, it may make more sense to pay the ransom. One word of caution with regard to LockerGoga: this particular ransomware also encrypts DLL files. There have been cases with other ransomware families where trying to decrypt systems that contain encrypted DLL files fails. This means organizations have paid the ransom and still didn’t have access to their files.
Click here to download the associated indicators of compromise.
Click here to download the associated Yara rules.