Ransomware infections generally may have trailed off but the LockerGoga ransomware and the chaos it caused for Norwegian metal maker Norsk Hyrdo shows that businesses can’t ignore the threat yet.
Business email compromise (BEC) and crypto-miners are now considered the main threats to consumers based on recent 2018 figures. But just like BEC fraud, which cost organizations $2.7bn in the US alone last year, according to the FBI's latest figures, the threat of targeted ransomware attacks remains very real for large organizations.
A week after Norsk Hydro's March revelation it had been hit by a "severe" case of ransomware, thought to be LockerGoga, the company reported the incident caused losses equivalent to USD$40 million.
Norsk Hydro claimed to have solid backups of its data that it would use to avoid paying the attacker’s ransom demand and cyber security insurance to cover business costs.
But organizations today can’t be sure what type of attack they’re facing following the WannaCry and NotPetya malware attacks of 2017, which appeared to be ransomware but were later deemed state-sponsored attacks that were designed to destroy a target’s data.
These incidents were blamed on North Korea and Russia, respectively. LockerGoga appears to be is a profit-making exercise, but there are suspicious it could be a blend of both.
Researchers from Cisco’s Talos Intelligence security unit reported that LockerGoga displayed some characteristics that would put it in the realms of destroyer malware of the likes of Destover, which wiped files from computers infected within Sony Pictures Entertainment in 2014.
According to Talos researchers, LockerGoga “straddles the line” between ransomware and Destover-like malware. That would be closer to NotPetya and WannaCry, which asked for a ransom payment without offering a realistic recovery option after a payment was made.
McAfee’s advanced threat research (ATR) group’s assessment of LockerGoga is that it is unique in its “ability to spawn different processes in order to accelerate the file encryption in the system”.
The second point made is that the Lockergoga ransomware needs to be executed from a “privileged account”.
UK security expert Kevin Beaumont noted in his analysis of LockerGoga that it was likely spread within Norsk Hydro using a hijacked domain administrator account through Microsoft’s Active Directory, an identity management system for Windows domains.
Cisco’s Talos researchers deemed certain encryption routines used by LockerGoga “inefficient” since it encrypted individual files.
McAfee researchers saw things slightly differently, describing a master-slave procedure for the routine that allows multiple slave processes to encrypt only enough files to avoid antivirus detecting suspicious behavior based on heuristic analysis.
“The ransomware creates multiple slave processes on the endpoint to encrypt files. Some analysts believe this is the case simply because it speeds up the encryption process, but we are not convinced as the same outcome can be achieved via a multi-threaded approach in the ransomware process instead of a multi-process approach,” a McAfee researcher noted.
McAfee researchers also believe the attackers were aiming to bypass sandbox-based detection systems that watch for a certain limit on the number of files written to a system.
The security company also noted a number of mistakes on the part of LockerGoga's makers.
"We did not see any spreading method used to deliver LockerGoga so it would be fair to assume it is used in targeted campaigns after the attackers had access to the system. At the time of this analysis, all the samples are not packed, or have complex methods of protection from being executed inside a sandbox system, though this could change in the near future.
Also, during the analysis, we observed LockerGoga encrypting legitimate DLLs, breaking the functionality of certain applications in the system, and also ciphering itself during the process, causing a crash."