Ransomware Behind Norsk Hydro Attack Takes On Wiper-Like Capabilities

lockergoga ransomware industrial firms

Researchers are still looking for answers when it comes to LockerGoga’s initial infection method – and what the attackers behind the ransomware really want.

LockerGoga, the malware that took down Norsk Hydro last week, has taken the industrial world by storm, as researchers race to uncover more about the mysterious ransomware that crippled several of the aluminum maker’s plants.

Questions still remain about how the malware first infects the system it targets, who is behind the attacks – and what they want. But there is one thing researchers can agree on when it comes to the seemingly-unsophisticated LockerGoga: Its developers are actively adding capabilities and targeting operations with attacks bent on destruction and costing companies millions.

“We do know that this ransomware has caused significant harm,” said Palo Alto Networks Unit 42 researcher Mike Harbison in a Tuesday post. “The damage could increase significantly if  the attackers continue to refine this ransomware.”

LockerGoga made headlines last week after targeting Norsk Hydro, forcing the company to shut down or isolate several plants and send several more into manual mode. According to an update by the company, that incident has so far cost Norsk Hydro at least $40 million in the last week.

But the ransomware was around well before this incident, spotted as early as Jan. 24 in an attack against engineering consultancy Altran, which said in a statement it was hit by a cyberattack that impacted operations in “some European countries.”

Two other manufacturing companies, Hexion and Momentive, have also been hit by the ransomware, according to reports.  So far, researchers with Palo Alto Networks said they have identified 31 ransomware samples that are similar in behavior and code to the initial variant.

“LockerGoga is yet another example of this sort of malware… It is a ransomware variant that, while lacking in sophistication, can still cause extensive damage when leveraged against organizations or individuals,” Nick Bisiani, outreach engineer with Cisco Talos, said in a post last week. “Cisco Talos has also seen wiper malware impersonate ransomware, such as the NotPetya attack.”

The initial infection of LockerGoga remains a mystery, researchers said: “The initial infection was thought to be a phishing attack, but seems like a less likely scenario as no phishing emails have been reported,” Allan Liska, threat intel analyst with Recorded Future, told Threatpost. “It is likely some form of remote access, such as an open RDP server.”

Once downloaded onto the system, the malware relocates itself into a “temp” folder and renames itself using the command line (cmd).

From there, LockerGoga encrypts files stored on systems such as desktops, laptops and servers, researchers with Trend Micro said in a post last week.

Interestingly, LockerGoga appears to have both ransomware and wiper capabilities: While the malware leverages an encryption process that removes the victim’s ability to access files and other data on infected systems, various later versions of LockerGoga were also observed forcibly logging the victim off of the infected systems by changing their passwords, and removing their ability to even log back in to the system, according to Talos researchers.

“The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands,” said Talos researchers. “These later versions of LockerGoga could then be described as destructive.”

Lockergoga ransomware

The LockerGoga ransom note.

A ransom note is then presented to the victim, which demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted, according to Cisco’s Bisiani.

LockerGoga doesn’t appear to have propagation capabilities, as other malware like WannaCry or NotPetya has, researchers said. Instead, LockerGoga counts up the infected system’s Wi-Fi or Ethernet network adapters, and then attempts to disable them via a command line (netsh.exe interface set interface DISABLE) to disconnect the system from outside connections.

“LockerGoga runs this routine after its encryption process but before it logs out the current account,” researchers with Trend Micro said. “This is a notable behavior. Its file encryption routine could be considered less consequential since LockerGoga already locks the user out of the system by changing the accounts’ passwords.”

LockerGoga also has routines that can evade sandboxes and virtual machines: The main process thread for some of LockerGoga’s variants, for example, sleeps over 100 times before it executes, Trend Micro researchers said: “This is a technique used by various ransomware families and other threats, such as those used in targeted attacks.”

Another interesting capability of LockerGoga, Ryan Olson, vice president of Threat Intelligence for Unit 42 at Palo Alto Networks, told Threatpost, is that it uses undocumented Windows API calls for communications, as well as WS2_32.dll, a DLL (Dynamic Link Library) in Microsoft Windows that provides support for networking connections.

This shows “a degree of technical sophistication and high degree of familiarity with Microsoft Windows enough to know about and how to use these undocumented APIs,” and “that the developers are building in network capability for the ransomware which could be used for command and control (C2) or network self-propagation capabilities,” he told Threatpost. “Either/both of these would require networking capability in the ransomware. And while network capability is not new here, it is rare in ransomware. ”

Several features of the malware – and the ransom notes that it has left – have made researchers scratch their heads when it comes to the attackers’ goals.

Unlike other sophisticated ransomware variants, the ransom note does not include instructions for using a payment portal to process the ransom payment, said Talos researchers. There is no Bitcoin or Monero wallet address – but the note includes instructions for contacting the malware distributor via two email addresses.

Further, because the ransomware forcibly logs victims off the infected systems, many victims may not even be able to view the ransom note, let alone attempt to comply with any ransom demands – causing researchers to raise their eyebrows when it comes to the goals of the attackers behind the malware.

Talos researchers said that “these features raise more questions about the actor’s intent as ransomware is typically one of the least advanced forms of malware: Are they motivated by profits or something else? Has the motive changed over time?  Why would developers put such effort into their work only to partially encrypt files? Why do they include an email address and not seek payment through more frequently used cryptocurrencies?”

Liska told Threatpost that there has been no attribution to the attack, adding into the mystery when it comes to the malware developers’ underlying goals.

“At this point, there is no attribution to the attack, if the attackers are cybercriminals, which is the prevailing assumption, they are really bad at their jobs,” Liska told Threatpost. “They have made it incredibly difficult to pay the ransom and there is little chance that the infected companies would be able to fully restore their systems if they did pay the ransom. This has led to speculation that these are nation-state attacks designed to disrupt, but there is no evidence for that at this point.”

Suggested articles