In just one week, ‘LockerGoga’ has cost the Norwegian aluminum maker $40 million as it struggles to recover operations across Europe and North America.
The March 19 attack impacted critical operations in several of Hydro’s business areas across Europe and North America. The attack forced the aluminum maker to resort to manual operations at multiple plants. It crippled production systems belonging to Hydro’s Extruded Solution group, in particular, resulting in temporary plant closures and operational slowdowns that are still getting only in the process of getting restored.
In two updates this week, Norsk Hydro described the attack as so far costing it about $40 million.
The attack comes amid an overall decline in ransomware campaigns and highlights what security experts say is a shift to more narrowly focused, targeted ransomware intrusions. “Ransomware as a generic threat family is absolutely on the decline,” says Rik Ferguson, vice president security research at Trend Micro.
Ransomware-related events have declined 91% year over year and the number of new ransomware families in the marketplace has declined 32%, he says.”[But] those players still in the game are the more talented ones still seeking to innovate on this technique, to find new victim populations, to gain greater leverage, and to show greater disruption and reap consequentially larger rewards.”
Some examples of groups using ransomware in this manner include Pinchy Spider, the group behind the GandCrab ransomware family; Boss Spider, the authors of SamSam; Indrik Spider the threat actor using BitPaymer; and Grim Spider, the operators of Ryuk. In most cases the newer attacks are notable not necessarily because of how sophisticated the ransomware tools are, but because of how they are being used.
Here’s a look at the most notable features and capabilities of LockerGoga:
1. LockerGoga changes passwords.
Security researchers are still not sure how the attackers are initially infecting systems with LockerGoga, though several believe that spear-phishing is the most likely scenario.
Once LockerGoga infects a system, it changes all the local user account passwords to ‘[email protected]‘ before attempting to boot local and remote users out of the system, Ferguson says. The password change complicates local intervention processes. It also “affects any system services using local accounts running on servers, sending availability ripples throughout the targeted organization,” Ferguson says.
2. It forcibly logs victims out of infected systems.
Early versions of LockerGoga merely encrypted files and other data on infected systems and presented victims with a note demanding a ransom in exchange for the decryption keys. Newer versions of the malware have included a capability to forcibly log the victim out of an infected system and remove their ability to log back in as well.
“The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands,” Cisco Talos noted in a blog. This capability makes newer versions of LockerGoga destructive in nature, the vendor said.
3. It has no use for the network.
Unlike some other ransomware families, LockerGoga does not rely on the network for command and communications, nor to generate encryption keys. “In fact, LockerGoga disdains the network to such an extent that it also attempts to locally disable all network interfaces,” Ferguson says. The goal is “to further isolate the affected computer and to complicate recovery, necessitating direct local intervention.”
4. It doesn’t self-propagate (yet).
LockerGoga has no obvious worm-like capabilities for self-propagation since it does not rely on the network. Security researchers from Palo Alto Networks’ Unit 42 group said they have observed LockerGoga moving around a compromised network via the server message protocol (SMB). That “indicates the actors simply manually copy files from computer to computer,” the vendor said in a blog Tuesday.
However, recent additions and updates to the malware since it first surfaced in January suggest that the authors may be enabling a network capability. As an example, the security vendor pointed to the addition of WS2_32.dll processes for handling network connections and the use of undocumented Windows API calls.
The additions suggest “the developers are building in [a] network capability for the ransomware which could be used for Command and Control, or network self-propagation capabilities,” says Ryan Olson, vice president of threat intelligence at Unit 42 at Palo Alto Networks.
The use of the undocumented Windows APIs demonstrates a relatively high degree of technical sophistication and familiarity with Windows internals, he says. “The capabilities that we see for possible C2 or network self-propagation could make this a more dangerous kind of ransomware in the future,” Olson notes.
5. It appears designed for targeted attacks.
With no self-propagation or use of the network, LockerGoga appears to built for targeted attacks.
The code—at least initially—was digitally signed with valid certificates from at least three organizations. Those certificates have since been revoked, says Trend Micro’s Ferguson.
The ransomware also incorporates techniques that have been designed to evade sandboxing and machine learning based detection mechanisms, he says.
“The main process thread for some of LockerGoga’s variants, for example, sleeps over 100 times before it executes,” Trend Micro said in a blog analyzing the malware.
One scenario for which the ransomware appears designed is for when attackers have already gained some level of access within an organization, Ferguson says. An example is where an attacker might have access to the Active Directory infrastructure “and are able to deploy the ransomware in advance, across the affected estate, before triggering the encryption routine,” he says.
6. The authors have been trying to pass off LockerGoga as CryptoLocker.
Christopher Elisan, director of intelligence at Flashpoint, says the authors of LockerGoga appear to have gone to some lengths to pass off the malware as a version of the notorious CryptoLocker ransomware. LockerGoga uses Crypto++, an open source crypto library and newer versions even use “crypto-locker” as the project folder name.
There is also some research showing LockerGoga containing bugs in its code, Elisan adds. “If this is the case, it makes [LockerGoga] more dangerous for victimized organizations because any attempt to decrypt the files even after payment of ransom might not be successful due to buggy encryption.”