LockerGoga made headlines recently after targeting Norsk Hydro, forcing the company to shut down or isolate several plants and send several more into manual mode. According to an update by the company, that incident has so far cost Norsk Hydro at least $40 million in its first week!
The ransomware was first spotted in late January, in an attack against engineering consultancy Altran, which said in a statement it was hit by a cyberattack that impacted operations in “some European countries.”
Once downloaded onto the system, often through a phishing attack, the malware relocates itself into a “temp” folder and renames itself using the command line (cmd).
From there, LockerGoga encrypts files stored on systems such as desktops, laptops and servers, researchers with Trend Micro said in a recent post.
Interestingly, LockerGoga appears to have both ransomware and wiper capabilities: While the malware leverages an encryption process that removes the victim’s ability to access files and other data on infected systems, various later versions of LockerGoga were also observed forcibly logging the victim off of the infected systems by changing their passwords, and removing their ability to even log back in to the system, according to Talos researchers.
“The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands,” said Talos researchers. “These later versions of LockerGoga could then be described as destructive.”
Other important attributes of this malware are:
1) Once LockerGoga infects a system, it changes all the local user account passwords to 'HuHuHUHoHo283283@dJD' before attempting to boot local and remote users out of the system.
2) Early versions of LockerGoga merely encrypted files and other data on infected systems and presented victims with a note demanding a ransom in exchange for the decryption keys. Newer versions of the malware have included a capability to forcibly log the victim out of an infected system and remove their ability to log back in as well.
3) The ransomware also incorporates techniques that have been designed to evade sandboxing and machine learningbased detection mechanisms. "The main process thread for some of LockerGoga's variants, for example, sleeps over 100 times before it executes," Trend Micro said in a blog analyzing the malware.
4) There is also some research showing LockerGoga containing bugs in its code meaning victimized organizations may not be able to decrypt files even after payment of ransom.
Business must take actions to protect itself. The U.S. Department of Homeland Security explicitly tells us that we are NOT prepared for today’s attacks.
Organizations can choose to be low-hanging fruit, making it easy for hackers to focus on them or do things properly to fend off attackers.
Prevention is crucial. Every company must take these steps:
- Cybersecurity training must be done regularly.
- Auditing and documentation must be performed regularly to ensure systems are secure.
- Anomaly detection should be running constantly to detect threats as they emerge.
- Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.
- Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
- An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe.
- All organizations are potential targets and should use a phishing simulation tool which tests employees by sending safe phishing emails. When employees click, they are then presented with educational material which helps them learn what to avoid.
To ensure your organization is safe – even if you have internal IT, hire an experienced MSP or MSSP.
If you do get infected, be sure to hire an MSP with forensic experience who can handle the problem and get you back and running as soon as possibe.
Edited by Maurice Nagle