Understanding the LockerGoga ransomware attacks

Last month Aluminum manufacturer Norsk Hydro was hit by a large scale ransomware attack that affected its systems across the globe and caused severe disruption to its operations with an estimated impact of more than $35 million..

The attack used the LockerGoga ransomware and the threat research team at Securonix has been monitoring the malware, which also caused problems for a number of other companies.

In order to avoid defenses, LockerGoga payloads are signed with a valid digital certificate issued by multiple certificate authorities. Spreading the malware required access to the network with Server Message Block and Active Directory management services seen in delivering the payload.

"One of the reasons that LockerGoga was so impactful in the Norsk Hydro attack was its scale," says Oleg Kolesnikov, director of threat research at Securonix. "It infected multiple systems through copying to the shared directory and subsequent lateral movement, affecting the entire organization. This lateral movement is a technique that hasn't been used commonly in other attacks so it's not something that companies are used to detecting for, but should be included in protocols for future detection."

Besides encrypting files, some LockerGoga variants had code that actually made it harder for the victims to pay ransom. This included changing administrator passwords and logging users of. This suggests the attackers' objectives may have included additional goals beyond traditional ransomware, such as cyber sabotage.

You can see more detail in the full report available from the Securonix website.

Photo credit: wsf-s / Shutterstock