LockerGoga: An insight into the ransomware that targets industrial and manufacturing companies

• LockerGoga infected companies include Altran Technologies, Norsk Hydro, Hexion, and Momentive.
• The ransomware was first spotted on January 24, 2019, when it infected Altran Technologies, forcing the French company to shut down its IT network and all applications.

LockerGoga is a ransomware that primarily targets industrial and manufacturing companies. LockerGoga infected companies include Altran Technologies, Norsk Hydro, Hexion, and Momentive.

The ransomware was first spotted on January 24, 2019, when it infected Altran Technologies, forcing the French company to shut down its IT network and all applications. On the same day, the ransomware sample was added to the VirusTotal for the first time.

• A security researcher noted that the ransomware exploits file formats such as DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF.
• After encrypting the files, LockerGoga appends the .locked extension to the encrypted file’s names.
• The ransomware then drops a ransom note named ‘README-NOW.txt’ on the desktop, which contains instructions to contact the CottleAkela@protonmail.com or QyavauZehyco1994@o2.pl email addresses for payment instructions.

Signed with a valid certificate

A reverse engineer from McAfee detected that the ransomware strain is signed with a valid certificate. Furthermore, the researcher noted that the certificate is issued by the Comodo Certificate Authority and has been revoked.

BleepingComputer tested the ransomware sample and found that the code was very slow and made no effort to evade detection. Researchers noted that during the test, the sample launched itself with the -w command line argument and created a new process for each file it encrypted, which caused the encryption process to be very slow.

Norsk Hydro attack

LockerGoga ransomware hit Norsk Hydro impacting its operations and IT systems in most of the business areas across the world. The ransomware attack forced the aluminum giant to switch its operations to a manual mode.

A week after the ransomware attack, Norsk Hydro estimated that total losses from the incident have reached over $40 million.

Brings down two US chemical companies

LockerGoga infected two American chemicals companies Hexion and Momentive, forcing the companies to order hundreds of new computers. In response to the attack, Momentive issued new email accounts to its employees who were affected by the ransomware attack, as well as created a new domain to supplement the email accounts.

Coding error in LockerGoga

Security researchers from Alert Logic noted that the LockerGoga ransomware contains an error in its code that could allow victims to ‘vaccinate’ their systems and halt the ransomware even before it starts encrypting files.

FIN6 threat group deploys LockerGoga on compromised networks

Researchers observed FIN6 threat group deploying Ryuk ransomware and LockerGoga ransomware on compromised networks that did not contain any payment data. For which, FIN6 employed two different techniques after using Windows’ RDP to laterally move across the networks. This movement enabled FIN6 to then inject LockerGoga and Ryuk ransomware.