LOCKERGOGA

Priority: High

Executive Summary: Norsk Hydro, a Norwegian metals and renewable energies company, has been hit with a severe ransomware infection across their network. Information from NorCERT strongly indicates that the ransomware is LockerGoga, however this is yet to be confirmed by Norsk Hydro. This information also specifies that the attack is spread by targeting Active Directory (AD) but does not detail the methods or exploits involved.

Security researchers investigating LockerGoga have described how the code is ‘slow, sloppy and [makes] no effort to avoid detection’. Its signatures are detected by a number of antivirus vendors, implying that proper antivirus implementation should be capable of detecting and removing the malware. However, it has now successfully spread across two company networks; Norsk Hydro and Altran Technologies.

Whilst the details on the attack vectors are limited, it is believed that the infection originated from a malicious email opened by a user. This is widely considered to be the easiest method of launching an attack on a corporate network currently. From here, the malware is believed to have targeted AD to perform lateral movement, however no information has been released detailing how the ransomware spread across Norsk Hydro’s network.

The attack appears to have been particularly effective against ICS systems at the company. These are often neglected for security updates due to reliance on legacy systems and use of bespoke communication protocols.

Whilst Norsk Hydro did not defend and monitor their network sufficiently from the attack, the company claims it has a well-structured backup system which, after isolating and removing the threat, they plan to restore from as quickly as possible. The company have been elusive on discussing the malware, the point of infection, the method of lateral movement and the range of systems affected.

Detect: Malware signatures available to ITC indicate a number of antivirus vendors are capable of detecting and responding to the ransomware.

The malware is known to create the following files:

  • [PATH TO MALWARE]\svch0st.5817.exe
  • %Temp%\svchub.[RANDOM NUMBER].exe
  • %Temp%\svch0st.[RANDOM NUMBER].exe
  • %SystemDrive%\Documents and Settings\All Users\Desktop\README-NOW.txt
  • %SystemDrive%\README-NOW.txt

Where [RANDOM NUMBER] can contain 4-6 digits. This has been reported as local file creation, however it is possible the malware propagated by writing these files over SMB, particularly if SMBv1 was in use. The ‘README-NOW.txt’ file is a ransom note which is displayed to the user following encryption containing a contact to be communicated with for payment information. The note states ‘The payment has to be made in Bitcoins.’ The encryption itself targets the following file extensions:

.doc
.docb
.docx
.dot
.dotx
.pdf
.pot
.potx
.pps
.ppsx
.ppt
.pptx
.sldx
.wbk
.xlm
.xlsb
.xlsx
.xltx
.xlw

Appending ‘.locker’ to the end of each of the affected files.

There are two email addresses that the ransom note is known to list for contacts, which are:

Any contact with these addresses should therefore also be treated as suspicious. The threat actors are likely to be running a number of email addresses under ProtonMail and O2.

ITC Managed Service Customers: For ITC customers that have a Behavioral Analytics service, ITC have already created and released a threat model to detect this ransomware.

Prevent: As there are no explicit details on the ransomware and the lateral movement vector(s), there are no known specific prevention methods against this attack. As always, proper antivirus implementation, kept up-to-date, will greatly assist in the prevention of ransomware attacks on single devices.

Good security practice will always be effective in preventing the ability of malware to propagate across a network. Some notable effective practices include enforcing a good password policy to prevent accounts being easily bruteforced; the principle of least privilege for any accounts; and the use of up-to-date, secure file transfer and authentication methods. It is also key to educate users on good security practice, particularly in the case of recognising phishing emails and not opening suspicious attachments or clicking links without ensuring they are safe.

React: Ensure antivirus installations are up-to-date and monitor for any indicators of compromise. Furthermore, it is worth confirming that all backup systems are operating as expected.

Customers with ITC Behavioural Analytics service will be updated to specifically detect the IOCs discussed.

Sources: 
[1] https://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/
[2] https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/
[3] https://www.symantec.com/security-center/writeup/2019-020708-2202-99#removal