LockerGoga is a ransomware recently making headlines due to its disruptive effects on industrial and manufacturing firms’ networks. Its recent victims include the Norwegian aluminum manufacturer Norsk Hydro, French engineering consulting firm Altran, and U.S. chemical companies Hexion and MPM Holdings (Momentive). The ransomware does not target or infect ICS systems, but its debilitating effects on the business and production networks tied to these industrial systems result in costly production downtime. In the Norsk Hydro case, this involved temporarily moving to manual production. LockerGoga reportedly targets other sectors, although a disproportionate amount of victims reside in the industrial/manufacturing sector.
HunterTeam named the malware LockerGoga after discovering the name in a file path used for compiling source code into an executable. It also uses a .locked file extension for encrypted files.
At this time, the initial intrusion vector is unknown. The ransomware’s code is digitally signed using valid certificates which could let it evade security tools and get on systems. The certificates used in known attacks were revoked. The CTAs reportedly use Metasploit and Cobalt Strike to move laterally across a network. They also reportedly use the Mimikatz tool to pull passwords out of memory to compromise other accounts, including those with higher privileges.
It is believed that they then use admin level credentials to target an organization’s Active Directory for widespread ransomware deployment. LockerGoga reportedly does not have any self-propagation mechanisms, meaning that the malware itself cannot spread across the network and needs to be manually deployed. However, Palo Alto Networks Unit 42 reports they observed: “LockerGoga moving around a network via the server message block (SMB) protocol, which indicates the actors simply manually copy files from computer to computer.”
Cisco’s Talos group observed that some LockerGoga variants forcibly log victims off their devices. They are then unable to log back onto the device, which also means they may not see the ransom note.
LockerGoga reportedly does not use a command-and-control (C2) infrastructure for communication nor to generate encryption keys. This is a novel feature and the purpose might be to evade security tools that look for malicious C2 traffic.
Indicators of Compromise