LockerGoga Ransomware Gains Momentum As It Hits Other Companies, But Norsk Hydro Doesn’t Plan to Pay Out
Cybersecurity has long battled against ransomware. Scammers that use general hacking are a lower level of threat, but the use of ransomware puts computers at risk of being completely shut down. This kind of software being integrated into a network has the power to completely ruin a system, and LockerGoga is taking full advantage.
LockerGoga has seen a lot of publicity lately, as they have pushed this ransomware onto major industrial firms. Their power is frightening, as they have been able to grasp control of computers that are in charge of the functioning of physical equipment outside aside from the actual network.
There is been multiple companies that have already been slammed with this ransomware, resulting in dangerous and scary consequences. LockerGoga wet their whistle with the infection of Altran, a French engineering consulting firm.
Last week, LockerGoga became bolder and went after Norsk Hydro, an aluminum manufacturer. When they took control, the automatic operations of the aluminum plants were switched to manual functions.
It did not take long for LockerGoga to go after two more manufacturing companies in America – Hexion and Momentive. The two companies are responsible for the creation of resins, silicones, and other materials, and are connected by a mutual investment fund.
With Momentive, this ransomware took down the company in a “global IT outage” on March 12th, based on a report from Motherboard on Friday. According to an email signed by CEO Jack Boss, the attack even forced the company to release “SWAT teams” to handle the problems and difficulties that LockerGoga caused.
Hexion and Momentive have already been met with a random message, showing that the same ransomware hit both these aluminum companies and Norsk Hydro. The language and formatting were about the same between the messages, according to reports from Motherboard. When the attack happened, a blue screen popped up and the files were almost instantly encrypted, according to a current employee who spoke with Motherboard. However, his identity was concealed, as he is not presently authorized to speak on the matter.
With these kinds of threats, security researchers say that ransomware completely locks out the intended users, which means that victims have a hard time paying the ransom demanded of them as well.
Essentially, the victims have to pay quickly if they want any chance of reclaiming their systems before the endeavor becomes even more difficult. The equipment could actually be physically harmed in these circumstances, and the staff involved at the afflicted factories are at even greater risk.
Joe Slowick, who works as a researcher for the Dragos security firm, said that the issue comes if the hacker manages to prevent the operation of the company or environment, the costs are substantial to the victim. Every minute without access increases the pressure to pay out, and the company has no control. Firms need to have solid fail-safes on the physical side to truly protect themselves.
Right now, LockerGoga still is fairly rare, especially in comparison with more common forms of ransomware like SamSam and Ryuk. To further the damage that the software can do, LockerGoga disables the network adapter of the system, separating it from the network entirely. In that small amount of time, the ransomware can change passwords and log off the machine, making it impossible to get back in, but researchers say that there is a possibility that a cached domain password can give back access.
Unlike the way that traditional ransomware works, the ransom message may not even show up, which means victims are delayed in learning about their predicament and could lose out on the time to pay a random to reclaim the system.
Still, Charles Carmakal of FireEye says that the focus of these hackers is predominantly about profit, rather than just wanting to see the damage unfold. There have been several victims that have paid out six-figure ransoms, but LockerGoga actually returned the files.
The ransomware has not just been toward industries or manufacturing victims and have instead been about “targets of opportunity.” Basically, the chosen companies and projects have been targeted as a result of finding companies that LockerGoga believes will pay.
Considering that they have given back what they have stolen in the past, anyone that is hacked with the LockerGoga ransomware would likely pay the ransom, depending on what they’ve lost. However, Norsk Hydro is not following along. Even thought Reuters reports that the potential loss from Norsk Hydro is upwards of $40 million, and the full recovery is not expected for many weeks, the company is relying on a “cyber risk insurance policy” that they have in place, but it “has a ceiling.”
Some of the work of Norsk Hydro was stopped on March 19th, and some of their units have been converted to manual operation since the hackers have blocked them out. Most of the units have been manageable in their production, one of the biggest sources of production has not had the same fate.