LockerGoga ransomware is a sophisticated type of cyber attack that has become a nightmare for companies and institutions in recent years. This software locks users’ access by encrypting the files of target systems. It then demands the release of the data in exchange for a ransom payment. The way LockerGoga works and its effects constitute an important issue that worries cybersecurity experts and companies.
Ransomware and Cyber Security
Digitalization in the production sector and industry provides companies with advantages such as efficiency and low costs. However, a negative aspect of this trend is the increasing and sophisticated cyber attacks. According to experts, attacks with random and simple motivations are being replaced by planned and targeted attacks.
According to Kaspersky, “Attacks and wipers spreading around the world, such as WannaCry, ExPetr and Bad Rabbit, are having an impact on businesses” (1). On the other hand, “ransom attacks” have become a nightmare for companies. These attacks started a dangerous period that greatly affected companies and strained their defense mechanisms.
In this context, one of the most talked about ransomware in 2019 is LockerGoga. Norwegian Aluminum Giant Hydro announced that it suffered a ransomware attack that affected the entire organization. There is no consensus yet on who carried out the attack. However, researchers consider it likely that the attack was carried out by LockerGoga. The security breach in question caused great damage to the company. Two weeks after the announcement was made public, the company announced that it lost 35-41 million dollars in the first week (2).
Anatomy of a Norsk Hydro Attack
LockerGoga is ransomware. Its name is derived from the file extension of a file used to compile the source codes of malware.
LockerGoga encrypts files using a strong symmetric key and AES256 block cipher. Adds .locked extension to encrypted versions. Slow encryption process and energy consumption are among the weaknesses of LockerGoga. It’s unclear how the attackers gained initial access. The first theory involves the user clicking on a phishing email, while the second theory involves credentials retrieved from the Deep Web. Once the malware infiltrates the system, it begins attacks with common hacking tools such as Metasploit or Cobalt Strike. Then, administrator information is searched using credential collection tools such as Mimikatz.
Methods to Stop Antivirus
Attackers use Microsoft’s Active Directory management tools to spread ransomware on other machines. They use some stolen certificates to bypass antivirus programs. This makes malware appear to be legitimately executable. In this way, they manage to avoid being detected by antivirus solutions. They perform a “task kill” to stop the antivirus running on the target machines or to eliminate the possibility of detection of the virus.
After encrypting all files, LockerGoga leaves a ransom note explaining what they did in simple English. It then offers to decrypt a few sample files. In return, they usually request payment in Bitcoin. Moreover, if you contact the attackers quickly, they offer you discounts.
LockerGoga New Version
The new versions of LockerGoga also include a strange twist file. As a matter of fact, after finishing file encryption, attackers detect and disable all network interfaces thanks to this twist file. Additionally, after changing the user and administrator passwords of the computers, the attackers shut down the machines. The purpose here is to prevent the victim from logging into the system to see the ransom note, thereby delaying the time it takes to communicate with the attacker and pay the ransom. This situation supports the idea that the attackers are not only looking for profit by creating much more chaos but also that these attackers are supported by states engaged in cyber warfare.
Resource: Security Affairs, LockerGoga is the most active ransomware that focuses on targeting companies
Power Plants Not Affected
According to Kaspersky’s research, although the attack was very large-scale, it did not affect the entire company’s activities. Although devices using the Windows operating system were paralyzed, non-Windows-based phones and tablets continued to work. Another good news is that power plants are not affected by the attack because they are “isolated” from the main network.
As of March 2021, Windows Defender may not detect LockerGoga. The antivirus program may have been disabled or the attackers may have created a different type of LockerGoga. Therefore, malware may not be detected by antivirus programs. According to experts, the way to provide more effective protection is to implement solutions that identify malware’s behavior and look for unusual patterns.
Endpoint Detection & Response (EDR) vendors are adding heuristics based on abnormal system behavior to their solutions to make it easier to detect ransomware.
Behavioral Algorithm Features of Ransomware
Credential Dump
Most EDR vendors detect ransomware using dumping tools such as Mimikatz. In this case, what needs to be done is to add a few different variables and test your security controls according to these variables.
Lateral Movement
Ideally, you should design your organization to minimize the possibility of movement from the inside out. Malware often gains entry into an organization by sending unsuspicious emails to users. Therefore, your security measures should prevent attackers from collecting credentials and gaining access to files within the system.
Suspicious Transaction Activity
The ransomware named LockerGoga initiates a series of processes to encrypt files. This is not one of the expected operations and work that a typical user would do. Modern security solutions are designed to find behavioral problems. Therefore, solutions are likely to perceive such behavior as abnormal. So what should we do to make sure our system can detect these behaviors?
Security checks should include creating a scenario to verify whether it can detect this behavior. This scenario is an important step to effectively control the security system.
Multiple Encryption Processes
Many types of ransomware can encrypt a system. Behavioral analysis and scans should be able to detect unusual encryption activities and alert the security system. It can test your system by creating a scenario that mimics the encryption activity of ransomware. This way, you can be sure that you are protected against ransomware. By evaluating these precautions taken, you can minimize the damage of possible attacks.
Deleting Backup Files and System Logs
Attackers often delete backup files and system logs to increase the damage caused by ransomware. For example, some types of LockerGoga delete their logs on the Windows operating system after the file encryption process is completed. However, many EDR vendors, such as CrowdStrike, offer a system that can detect fraudulent transactions and attempt to delete backup files and stop the process.
What Happened at Norsk Hydro
Norsk Hydro, the Norwegian aluminum and energy giant, suffered a cyber attack on March 19, 2019. In the cyber attack in question, the attackers used LockerGoga, a type of ransomware. After this attack, which used an advanced and new version, all global operations of the company were stopped.
Cybersecurity analysts at Norsk Hydro detected six different types of LockerGoga found on their systems. LockerGoga spread to Norsk Hydro facilities, affecting several business units and forcing them to switch to manual processes. Norway’s National Security unit also investigated the attack. As a result, he stated that the LockerGoga virus was previously detected by this unit.
The company announced that most of its production returned to normal following the attacks, but some administrative tasks had to be postponed. The company’s financial officer stated in his statement that Norsk Hydro did not pay any ransom in response to the attack. Some researchers state that the attack is very difficult to investigate because the virus makes some surprising moves. Finally, according to experts, it is possible to take preventive actions against ransomware, which has become a “nightmare” for companies. One of these is stated as making correct network segmentation. According to researchers, it would have been easier to stop the ransomware and limit the attack if the company’s network segmentation had been accurate (1).
Resources:
1) Kaspersky Daily, “Alüminyum sektörünün dev şirketi Hydro, fidye yazılımı saldırısına uğradı”, 25.03.2019, Erişim: https://www.kaspersky.com.tr/blog/hydro-attacked-by-ransomware/5803/
2) Özden Erçin, “Norsk Hydro Ransomware Saldırısından Çıkarılacak Dersler”, 21.08.2019, Erişim: https://ozdenercin.com/2019/08/21/norsk-hydro-ransomware-saldirisindan-cikarilacak-dersler/
Other Resources Used:
ATTACK IQ https://attackiq.com/blog/2019/04/14/locker-goga-the-2019-addition-to-the-ransomware-family/
ProQuest https://search.proquest.com/docview/2206932910/73B5F94FDBE84340PQ/6?accountid=16327#center
Compilation: Ceyda Kahya