WatchPoint Security Blog

Norsk Hydro Hit by LockerGoga Ransomware

Written by Jordan Kadlec | March 19, 2019

Norsk Hydro, one of the largest aluminum producers in the world, has been forced to switch to partial manual operations due to a ransomware attack. The company announced Tuesday that it was the target of an extensive ransomware attack that is allegedly pushing LockerGoga. According to Norsk officials, the attack was detected on Monday evening and escalated throughout the night.

LockerGoga Ransomware

LockerGoga is a relatively new ransomware variant that initially gained public attention in January in an attack against Altran Technologies, an engineering consulting firm operating out of Paris, France. Through research of the initial LockerGoga attack, the ransomware was found to be very slow due to how it initiated another process each time it encrypted a file. Furthermore, the ransomware was found to be sloppy in the sense that it made no effort to evade detection.

While LockerGoga appeared to be sloppy, it was found to be signed with a valid certificate, increasing the chances of its deployment on the victim hosts without raising suspicions. However, hosts who pay attention to the Windows alert asking for authorization of the certificate would notice something was not right.

When executed, the ransomware will target the following files: DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF. Upon encryption, the ransomware appends .locked to encrypted files. Initial research also found that, unlike newer variations of ransomware, LockerGoga does not delete shadow volume copies, making recovery from the attack much easier. 

When the ransomware has finished encrypting files, it will drop a ransom note named README-NOW.txt on the desktop. As you can see from the ransom note above, the operators target companies and offer to decrypt a few files for free to prove they have the decryption key.

LockerGoga’s Attack on Norsk Hydro

Cyber attacks on industrial companies are an increasing concern, and the ransomware attack on Norsk provided the latest example. The ransomware attack on Norsk forced the company to switch to manual operations as much as possible. In a statement released by company officials, “IT systems in most business areas are impacted.” While the company is based out of Norway, Norsk’s smelters in Norway, Qatar, and Brazil were all operating manually on Tuesday.

An investigation is underway as to the full extent of the ransomware attack; however, Colin Hamilton, managing director for commodities research at BMO Capital Markets Ltd. believes Norsk has their work cut out for them.

“They’ll probably have to halt pretty much everything in the short term as they work out a back-up plan,” Hamilton commented. “Operationally, this is distinctly challenging.”

Aside from impacting the overall operations of Norsk, the company’s stock took a hit immediately after news reached markets. On Tuesday, Norsk’s stock price fell over three percent, however, unless there’s a major disruption in the supply of metal from the company’s primary production line, the price of metal is expected to remain steady.

As more details emerge about the attack or LockerGoga ransomware, we will surely keep you updated.

Title photo credit: Bloomberg.com

Ransom note photo credit: BleepingComputer