LockerGoga combines ransom demand “negotations”, aggressive disruption and total lock out
Over the last few months, a new ransomware, LockerGoga, has been hitting industrial and manufacturing firms and causing devastating impact. Later strains of it have been even more damaging than the initial rounds. In some cases, it’s evident the hackers are after money and they have collected some of the bitcoin they demanded. But in other cases, the manifestation of their attack made it impossible for victims to pay ransom. It has almost seemed as though sometimes the hackers made it impossible for victims to see the ransom note much less respond to it.
LockerGoga has struck several countries, bringing some firms to their knees, and becoming an alarming harbinger to others who haven’t yet been hit. Altran engineering consulting firm in France and Norsk Hydro aluminum manufacturer in Norway have both been struck by LockerGoga, along with Hexion and Momentive. Momentive’s infection caused a global IT outage. FireEye security firm reported they’re aware of several other industrial and manufacturing companies who’ve also been hit, though for now they’re opting not to be named.
A newer strain of LockerGoga discovered recently is especially disruptive. It shuts computers down completely so users are locked out and unable to get a ransom message. Companies caught in a situation like this are highly motivated to pay and often do so they can get their data back and their business going again. But the hackers can be intentionally reckless. And when it involves industrial and manufacturing companies, the result can be worse than a shutdown. Such situations are obviously costly but they can also be dangerous and cause harm to equipment or factory staff. Every minute the business is out of operation, pressure builds. Most industrial firms have fail-safe plans in place, but disasters can still happen and sometimes just downtime is enough of a disaster by itself.
LockerGoga got its name from a file path of the same name found in source code, named by security research group MalwareHunterTeam. Compared with other kinds, the malware is fairly rare. FireEye has seen under 10 official victims so far, but MalwareHunterTeam estimates the total number of victims to rank in the dozens. Not all victims are impacted to the same degree.
No one knows for certain yet how the hackers are initially gaining access to the target networks. It could be the common method of phishing and social engineering. It seems the intruders already know their targets’ credentials from the start, and phishing is one possible way to gather those credentials. Buying them from other hackers is another. Once inside, hackers use Metasploit and Cobalt Strike toolkits to gain control of other computers on the network, exploiting Mimikatz as well, which pulls traces of passwords from Windows memory. This allows the hackers to gain deeper access to higher privileged accounts.
Inside the network, once the hackers are far enough to have obtained the highest privilege “domain admin” credentials, they can use Microsoft’s Active Directory to direct the ransomware to more victim’s machines. By signing with the stolen certificates, the code looks legitimate. The hackers also run encryption code, but first they run a “task kill” command that disables the victim’s antivirus. The ability to deactivate A/V renders the systems all the more defenseless against later infections. A/V solutions are unlikely to detect many attacks in the first place, particularly fileless and zero day attacks. It doesn’t take long for the hackers to accomplish their methodical steps and within minutes, the entire system is disabled.
The next step by the hackers is to insert a readme file of demands on the victim’s machines.
"Greetings! There was a significant flaw in the security system of your company. You should be thankful the flaw was exploited by serious people and not by some rookies. They would have damaged all your data by mistake or for fun."
Notably missing from the note is a ransom price. Instead, an email address is provided for the victim to use to negotiate an amount to get their data back in payment using bitcoin. FireEye reports the amounts usually settled on are in the hundreds of thousands of dollars.
In the latest strain of the LockerGoga ransomware that hit industrial firms, the hackers disable the computer’s network adapter and log the computer off the network after changing the user’s admin passwords. This keeps the user from being able to log back on. In some cases, security researchers have seen some users being given a certain password – “HuHuHUHoHo283283@dJD” - that allows them to log back on. But often the victim can’t see the ransom note, or doesn’t realize they are victims of ransomware. This costs even more time until they can take steps to recover their data or decide how to deal wit their extortionists. It’s a nightmare situation for any firm to be in.
It doesn’t make much sense for the hackers – if the users can’t figure out who to pay, the hackers don’t profit. Nonetheless, FireEye still believes the hackers are motivated by greed. Wreaking havoc is certainly an objective, but likely it’s an extra bonus on top of making money, sometimes as much as six figures from one firm. The hacker’s victims aren’t all industrial or manufacturing. Other industries provide similar targets - any business that will pay is an opportunity to usurp. And so far, enough companies, especially industrial firms, have been struck down to cause significant concern to companies and researchers. LockerGoga malware could be used to control human machine interface (HMI) systems. HMIs are responsible for remotely controlling critical equipment sold by companies like Siemens and GE. If HMI equipment was hijacked, the results could be disastrous.
LockerGoga ransomware has struck industrial/manufacturing firms Hexion, Norsk Hydro, or Momentive but it’s not known yet how it infected their systems. Having failsafe systems in place isn’t enough to combat the risks posed by a calculating, evolving threat like LockerGoga.
Newsletter: Latest issue
Video: 2-Minute Virsec Story