Norsk Hydro: true motivation? chance of recovery? LockerGoga key?

News by SC Staff

Norsk Hydro may have lost £30m following the LockerGoga ransomware attack and there's speculation about the chance of recovery, the true motivation of the attack, and the existence of a kill switch.

It is reported that aluminium company Norsk Hydro may have lost £30 million  following last week's ransomware attack with the financial impact during the first week estimated at between 300 million and 350 million Norwegian crowns (£25 million to £30 million) and there is now speculation about the chance of recovery, the true motivation of the attack, and the existence of a kill switch.

In a LinkedIn posting commenting on SC Media UK's earlier report, Yenonatan Kfir, CTO at Radiflow suggests that the motivation was more likely speculation on the resultant soaring aluminium prices to a three-month high, rather than generating ransom revenue.

He notes: "The number of companies that were affected was small, and probably chosen carefully. Overall, this operation requires high effort from the attackers, with low potential income. This doesn’t fit to a classical ransomware operation!"

"...also as a targeted disruption operation, it looks like an unprofessional one. The recovery time was decent, a manual operation and isolation of the malware was possible (would some of the effected PCs contain this recovery procedure? Was it known to the attackers?). A professional operation would have targetted the remote / isolated sites."

The unusual operation has also attracted comment on both the costs incurred and the likelihood of recovery, but also the LockerGogoa ransomware used, which now appears to have a kill switch.

A Palo Alto Unit 42 blog (see further down page) also questioned the level of sophistication deployed for ransomware.

In contrast, in an email to SC Media UK Oleg Kolesnikov VP of threat research and head of Securonix Research Labs at Securonix, suggests it is more of a traditional ransomware attack than say NotPetya, and he is oncerned about insurance issues. He said "We've been closely monitoring the Norsk Hydro ransomware attack, and one thing to note in terms of being able to recover the costs of the attack from a cyber-insurer is that this can be far from guaranteed, even with a solid cyber insurance policy.

"To illustrate, in case of the Mondelez's NotPetya cyberattack that reportedly resulted in over US$100 million (£75 million) in damages that was in many ways similar to the Norsk Hydro LockerGoga ransomware attack, the claim was being disputed by the Mondelez's cyber-security insurer Zurich citing the so called "war exclusion" in the policy language for hostile acts by sovereign actors.

"While the cost of the Norsk Hydro attack is significantly lower, at roughly £25 - £30 million, recovering the costs of the cyber-attack even with reputable cyber-security insurers can be non-trivial. Fortunately, NotPetya had a number of differences from LockerGoga, particularly in that, as the UK officials believed, a nation-state-level malicious threat actor was involved with NotPetya, and the purpose of the NotPetya attack was more along the lines of a cyber-sabotage than a classic ransomware attack.

"In contrast, LockerGaga currently looks much more like a traditional ransomware attack than a nation-state-sponsored malicious breach, so this is something that Norsk Hydro might be looking into further once they are able to fully restore their normal business operations."

For Deborah Chang, vice president of business development and policy at HackerOne, the attack was seen as highlighting the issue of cyber-security risk and bringing it to the forefront for all organisations. "No matter what the outcome of this claim is, it is clear that the team responsible for the purchase of an insurance policy must now be hyperaware of cyber-security risk. Specifically, how a cyber-security breach or cyber-attack, even if it is not as public and not as large as the one that targeted Norsk Hydro, will be covered under a policy, what tools are in place to prevent loss from bad actors, what the threats are, how vulnerabilities are mediated, where the threats could be and most importantly, what tools need to be in place to prevent the breach.

"Insurers like AIG are most likely invested in encouraging or requiring post breach cyber-security practices that can limit the extent of the breach as much as possible and ensure a company is as secure as it possibly can be.  The question that will most likely be asked is how AIG and other insurers do this post-breach, and pre-breach, when the insurance buyer or risk team doesn’t necessarily have the influence or ability to collaborate with the security team."

Regarding the malware itself, apparently it contains a mistake which pertains to how the malware handles .lnk file extensions, also explained in a 25 March  blog post from threat management company Alert Logic, which reports that its researchers discovered the issue.

According to Alert Logic, LockerGoga scans compromised machines to assess what files they are hosting. If LockerGoga identifies any .lnk file extensions, which are used by Microsoft Windows to point to executable files, then the malware attempts to resolve their paths.

However, there two conditions that create an exception that LockerGoga can’t handle, causing the operating systems to terminate the ransomware before it can do any damage:

the .lnk file is crafted to contain an invalid network path
the .lnk file has no Remote Procedure Call (RPC) endpoint
"The malicious file will still exist on the victim machine, but it will be effectively rendered inert, since it cannot effectively execute while the malformed ‘.lnk’ file remains," explains the Alert Logic report.

Therefore, security professionals could intentionally create erroneous .lnk files to foul up LockerGoga’s operations should an attack occur. Of course, if an infected machine successfully employs this tactic, that doesn’t mean the danger is over, Alert Logic notes. The attackers still found a way to compromise the device in the first place, and presumably LockerGoga’s developers will work to fix this flaw.

Indeed, LockerGoga has already gone through a series of updates and variants since emerging on the scene in January 2019.

Palo Alto rearch arm, Unit42, has also released a new blog looking into LockerGoga and its potential vulnerability. It notes how the LockerGoga ransomware was first publicly reported in January by Bleeping Computer, which tied the malware to an attack against French engineering company Altran Technologies. Several variants have since been found in the wild, where they were used in attacks against Norwegian aluminum manufacturer Norsk Hydro and two chemical companies: Hexicon and Momentive

Unit 42 reviewed malware samples from these attacks and found evidence that caused us to question the origin of the threat name.  "LockerGoga" was taken from a string that did not exist anywhere in the code used in the original attack on Altran." It adds: "The LockerGoga ransomware that’s been targeting industrial and manufacturing companies in early 2019 contains a coding error that could potentially be exploited to stop it from encrypting files." 

It has  identified 31 samples of ransomware that are "similar in behaviour and code to the initial variant" that was used in an attack against French engineering company Altran Technologies. Additional LockerGoga attacks were later launched against aluminum producer Norsk Hydro and U.S. chemical companies Hexion and MPM Holdings.

In the blog post, threat intelligence analyst Mike Harbison lists some of the key improvements found in ensuing versions of the ransomware, including the added importation of Windows Sockets Library ws2_32.dll and the use of undocumented Windows API calls. Harbison says the addition of such enhancements "indicates a level of sophistication beyond typical ransomware authors. The former could lead to the eventual inclusion of C2 communication or automated propagation, and the latter requires some working knowledge of Windows internals."

"These features raise more questions about the actor’s intent as ransomware is typically one of the least advanced forms of malware: Are they motivated by profits or something else?" Harbison ponders in the report.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews