Norwegian aluminum producer Norsk Hydro has confirmed it was hit by the LockerGoga ransomware variant on Monday evening and had to shut down some of its plants as a result.
At the time the Norwegian National Security Authority (NSM) declined to comment on what type of attack it was but told Reuters: "We are helping Norsk Hydro with the handling of the situation, and sharing this information with other sectors in Norway and with our international partners."
Nozomi Networks Labs has carried out an analysis into the LockerGoga ransomware, which aims to explain how the malware works and how victims can tell they are infected.
Below is an edited summary of its findings:
LockerGoga is a ransomware able to encrypt files having any of the specific extension listed below:
doc, dot, wbk, docx, dotx, docb, xlm, xlsx, xltx, xlsb, xlw, ppt, pot, pps, pptx, potx, ppsx, sldx, pdf
The extension types are an indicator that the main goal of the threat actor is to encrypt files containing important data for the users. In fact, at the end of the encryption phrase a file called README-NOW.txt is dropped inside the filesystem containing the following message:
- There was a significant flaw in the security system of your company.
- You should be thankful that the flaw was exploited by serious people and not some rookies.
- They would have damaged all of your data by mistake or for fun.
- Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
- Without our special decoder it is impossible to restore the data.
- Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
- will lead to irreversible destruction of your data.
- To confirm our honest intentions.
- Send us 2-3 different random files and you will get them decrypted.
- It can be from different computers on your network to be sure that our decoder decrypts everything.
- Sample files we unlock for free (files should not be related to any kind of backups).
- We exclusively have decryption software for your situation
- DO NOT RESET OR SHUTDOWN - files may be damaged.
- DO NOT RENAME the encrypted files.
- DO NOT MOVE the encrypted files.
- This may lead to the impossibility of recovery of the certain files.
- To get information on the price of the decoder contact us at:
- The payment has to be made in Bitcoins.
- The final price depends on how fast you contact us.
- As soon as we receive the payment you will get the decryption tool and
- instructions on how to improve your systems security
The message says the user must pay a ransom using Bitcoin cryptocurrency to get their files back.
How does it work?
The malware encrypts the files with the targeted extension and soon after drop the ransom note inside the filesystem, providing the user with the steps he/she must take in order to get the files back. It follows the classic approach present in most ransomware malware.
The malware is not able to spread itself to other targets. It seems to implement some anti-analysis techniques to hide itself from analysts; for example, it seems to detect the presence of a Virtual Machine and have the ability to delete itself from the filesystem trying to avoid the sample collection.
Considering the fact that the attackers were not interested in adding custom and complex capabilities (C&C, DNS beaconing, etc.) it is assumed the scope was merely disruptive and did not have an espionage intent.
Some researches suggested (Nozomi Networks Labs says it has not confirmed) that the attackers could have used Active Directory as a mechanism for spreading the malware: [possible scenario] an attacker that was already able to infect a targeted system registered in the Domain Admin Group could have placed the malicious executable in the Netlogon directory so that could be automatically propagated to every Domain Controller (lots of firewalls accept by default Active Directory) —NorCERT confirmed this.
How do you know if you’re infected with it?
The targeted files will be encrypted and the extension .locked will be appended at the end of the filenames.
Nozomi describes the Hydro incident as a great lesson from an incident response perspective, they made a live stream with a brief on the attack and they’re keeping all informed using their Facebook channel
Nozomi notes that some of the technical info reported above has been extracted via Nozomi Networks Labs' preliminary analysis of the sample with the SHA256:
Ray Walsh, digital privacy expert at BestVPN.com emailed SC Media UK to comment: "The surge in the price of aluminum since the cyber-attack on the Norwegian producer Norsk Hydro is a stark reminder of the possible ramifications of targeted cyber-attacks. Anytime that a large firm has a strong direct influence on the production of a material, it is possible that a large attack of this nature could disrupt distribution levels and therefore affect prices.
"For the time being, it is impossible to say who carried out this attack. However, considering that the world's largest producers of Aluminium are Chinese, there is the possibility that this was a Chinese-led cyber-attack designed to force the price of the commodity up. This is definitely the kind of cyber-attack that we can expect to see more of in the future, with the possibility of purchasing large quantities of a particular commodity before enacting a cyberattack amounting to insider trading.
"On the other hand, it is possible that this is a vigilante-style cyber-attack carried out by a disgruntled environmentally conscious hacking collectives such as Anonymous. In the past 12 months, the Norwegian Aluminium producer Norsk Hydro has suffered a lot of bad press - and a loss in share value - due to claims of environmental damage following floods at a production plant in Brazil. We could be looking at a revenge style attack designed to further hurt the share value of a firm that is already suffering from the fallout."
Chris Morales, head of security analytics at Vectra adds:"While the situation for Norsk Hydro is severe as the entire worldwide network is down, which means the attack was able to propagate internally very quickly, I do at least commend Norsk Hydro’s incident response process.
"The important thing here is that breaches happen, and for manufacturing and energy who are large adopters of industrial internet of things, ransomware has become an unfortunate problem that can easily knock a manufacturing or energy plant offline. Norsk Hydro is not the first to suffer from a ransomware attack in the energy sector. Ideally it would be good to be able to detect and respond to attacks before they cause damage, but many companies simply are not in that state of capability yet.
From a response process, it is good that Norsk Hydro executive management immediately, within 24 hours, reached out to the public and have been open about their current state. Norsk Hydro had a backup plan to keep operating using manual processes. It is also fortunate that Norsk Hydro has backups of all their data to recover to their original state once they can recover from this attack.
"Granted, when they recover is the biggest factor here. With an attack this widespread impacting the entire global network, they could be down for days."
While this was not initially an attack on the control systems, Ilan Barda, CEO, Radiflow emailed SC Media UK to note how this incident is similar to the NotPetya and WannaCry incidents, as it shows that cyber-attacks in general and ransomware in particular, can cause major business interruptions to manufacturing facilities. He adds: "In this particular case, it appears it was an IT attack that expanded to the OT side, however, we expect that ransomware will be used to directly target OT assets.
"This attack emphasises again that In order to protect your organisation against such attacks, it is vital to employ cyber-security to the production floor, enabling operators to maintain visibility and control of their OT network. Such a dedicated OT security solution that intelligently combines cyber-risk and business impact to optimise risk scoring can assist operators in quickly handling emerging threats before they impact the operations, as was done in the case of the crypto-jacking malware that Radiflow system detected at a waste-water facility last year."