LockerGoga Ransomware threat

LockerGoga Ransomware

A threat report warns of new LockerGoga ransomware activity disrupting networks of industrial and manufacturing organizations in Norway and in the U.S.

The Multi-State Information Sharing & Analysis Center (MS-ISAC) issued the report on March 28th and said the ransomware does not directly target ICS systems, but the effects can cripple both business and production networks. Often the result is costly downtime to organizations who fall victim to such ransomware attacks.

The report mentions most of the victims reside in the industrial and manufacturing sector. For instance, some LockerGoga victims include Norsk Hydro (an aluminum manufacturer from Norway), Hexion and Momentive (from the U.S.) and Altran (engineering consulting firm from France).

The LockerGoga ransomware attack on Altran was first publicly reported by Bleeping Computer back in January. Norsk Hydro, Hexion and Momentive were each more recent victims of a new LockerGoga variant found in the wild.

Security researchers dubbed the malware LockerGoga after the name was spotted in a file path used to compile source code into an executable. The malware also used a “.locked” file extension for files encrypted by the ransomware.

The MS-ISAC report also noted the malware used signed certificates to help with flying under the radar of being detected by monitoring software. The certificates used in the latest round of attacks have since been revoked.

The only silver lining in the otherwise bad news is LockerGoga does not (yet) propagate across the network automatically. The remote attacker does need to manually deploy the malware to infect other systems.

“LockerGoga moving around a network via the server message block (SMB) protocol, which indicates the actors simply manually copy files from computer to computer,” Palo Alto Networks’ Unit 42 security team wrote in a recent report last week.

The security experts also warned that the LockerGoga’s developers continue to add new capabilities, such as WS2_32.dll and use of undocumented Windows API calls, which could lead to future automation or C2 communication opportunities.

The Unit 42 report also describes additional details on origin of the threat, as well as characteristics, encryption used, development cycle and indicators of compromise.