Ransomware has long been headlining the cybersecurity scene – encrypting files and requesting a ransom payment in bitcoin to regain access to the network. But over the past few weeks a new variant has surfaced that is much more than a shakedown for cash; one that is causing crippling destruction on dozens of manufacturing and industrial firms around the globe. This nasty new breed of ransomware is known as LockerGoga.
The first reported case of LockerGoga was in January on the French engineering consulting firm Altran, and since then many other cases have been reported including big-name firms like Norsk Hydro, Hexion and Momentive. While researchers are still analyzing details of these attacks, it appears LockerGoga has been used for very targeted cases in the manufacturing and industrial space, however, variations have been seen in other industries as well.
In one of the recent incidents, LockerGoga gained control of actual physical equipment – which is a scary concept that could inflict serious harm on machine operators. In other recent cases, a firm was forced to move production environments into manual mode, while another led to global shutdown costing $40 million in just one week, as it still struggles to recover operations.
It is not yet known how intruders gained initial access to these large corporations, but cybersecurity experts suspect it was done through spear phishing tactics or brute force.
Evidence suggests that once intruders get an initial foothold, they use common hacking toolkits to move to other computers on the network, including exploit programs which pull traces of passwords out of the memory of Windows machines providing access to more privileged accounts. LockerGoga appears to be a much more manual attack than past ransomware incidents we've seen, and does not appear to have worm-like capabilities to cause widespread chaos like its WannaCry and Petya predecesors.
As these hackers continue to advance through the network and move up the chain to obtain a network's highest privilege "domain admin" credentials, they gain access to administrative tools such as Microsoft's Active Directory to plant their ransomware on targeted machines across the entire system. That code is signed with stolen certificates that make it look legitimate. And before running their encryption code, the hackers use a "task kill" command on target machines to disable their antivirus. Both of those measures have made antivirus particularly ineffective against the subsequent infections. Here is an example of the note left behind by the hacker:
A screenshot of the ransom notice displayed on a Momentive laptop. Image: Motherboard
The note doesn't name a ransom price but instead provides email addresses, demanding the victim contact the hackers to negotiate a bitcoin sum for the return of their systems, which according to FireEye are typically in the hundreds of thousands of dollars. In the latest version of this malware that researchers have analyzed, LockerGoga goes further still: it also disables the computer's network adapter to disconnect it from the network, changes the user and admin passwords on the computer, and logs the machine off.
The most important proactive step an organization can take for ransomware is user education, and of course it’s critical to have the ability to recover from your backups. Ensure that you’re using a backup system that allows multiple iterations of the backups to be saved and stored offline, in case the backups include encrypted or infected files. Routinely test backups for data integrity and to ensure you can recover from them.