Attacks using the LockerGoga ransomware may not be as widespread as Wannacry, which exposed the poor cybersecurity practices of the masses in May 2017, but the highly-targeted malware is proving just as costly for the industrial giants that are being targeted.
Norsk Hydro, one of the world’s largest producers of aluminium, became its latest target last month. The attack forced the company to switch to manual operations, significantly reducing production in some departments and costing the company more than £40m in damages and losses.
That followed past attacks on French engineering firm Altran and manufacturing companies Hexion and Momentive.
Cybersecurity company Securonix has been monitoring the LockerGoga ransomware to see how it infiltrates businesses, avoids cybersecurity protection and wreaks havoc on a network, as detailed in its recent threat report.
How is LockerGoga infiltrating company networks?
Exactly how LockerGoga ends up on a company network is unclear. However, Securonix believes that the payload may be delivered through phishing campaigns using seemingly harmless Microsoft Office or RTF attachments and macro commands.
Using spear phishing (phishing attempts that are targeted towards a particular individual or organisation), file types typically shared among businesses are proving an easy way for cybercriminals to catch out their targets. The use of Office documents to spread malware has been rapidly increasing of late. According to cybersecurity company SonicWall, there was a 34% increase in these attempts last year, while Barracuda estimates that Word or PDF attachments are used in 48% of phishing attempts.
The payload delivered is signed with a digital certificate offered by trusted authorities, which marks it as ‘safe’ and allows it to go undetected by many antivirus solutions.
Taking extra precaution, the LockerGoga malware has also been seen to execute system commands to disable cybersecurity systems, and deleting event logs to remove any trace of its actions.
Once a backdoor has been established, the threat actor can begin spreading the malicious files around then network. The LockerGoga attackers don’t seem to have one set way of doing this. Securonix saw evidence of the payload being moved through the network using the file-sharing Windows Server Message Block (SMB) protocol, as well as through Active Directory management services using a superuser account.
What happens once LockerGoga has infected your system?
Once the ransomware has infiltrates its target, the payload is moved to the %TEMP% directory and executes a process that begins locking files on the system. The following file types are locked by LockerGoga:
Word processor files: .doc, .dot, .docx,docb, .dotx, .wkb,
Code files: .xml, .posx, .db, .sql, .cs, .ts, .js, .py
Excel files: .xlm, .xls, xlsx, .xlt, xltx, xlsb, .xlw,
PowerPoint files: .ppt, .pps, .pot, .ppsx, .pptx, .potx, .sldx,
PDF files: .pdf
These files will become encrypted and inaccessible unless the encryption is broken or a ransom is paid. It is unclear how much the threat actor demands in return for access to the files. However, according to MalwareHunterTeam, a website that allows victims to identify the malware strain that has infected their system, some victims have handed over six-figure sums to regain access to their files.
While financial gain appears to be the ultimate goal for the cybercriminals behind the LockerGoga attacks, the ransomware doesn’t make it easy for victims to pay up. According to Securonix, the malicious file has been seen to modify the passwords of admin accounts on the systems, effectively locking them out completely.
How can businesses protect against the LockerGoga ransomware?
Securonix proposed five ways to prevent against this sort of attack, or at least minimise the impact that a compromised device would have on the business.
Such attacks highlight the importance of end user cybersecurity awareness. Given the LockerGoga ransomware’s ability to spread across a system, it takes just one employee to click a link or download a file to bring a business to its knees.
Likewise, it also stresses the importance of making regular system backups and ensuring that operating system, software and firmware patches are up to date.
However, to maximise protection, businesses should consider additional system preventions that block the vulnerabilities that LockerGoga exploits, and enabling password protected folders that will stop the malicious software from accessing important files.
Chris Wysopal, CTO of application security firm Veracode, previously suggested that separing connected devices from industrial systems could have reduced the impact of the Norsk Hydro by ensuring that production could continue as normal despite disruption to IT systems.