The LockerGoga Ransomware Attack: A worst-case scenario for industrial operations
Over the past decade, the corporate world has become familiar with ransomware attacks. Cyber attackers encrypt company’s systems and data until a bitcoin ransom is paid. Upon payment, the attackers release a decryption key that allows the company to regain access to their data and go about the business of recovery and remediation. Attackers do not discriminate between sectors and failure to pay can lead to disastrous consequences – as just one of many examples, the first known closure of a healthcare provider resulting from a ransomware attack recently occurred on April 6, 2019 after a ransomware erased a Michigan medical practice’s medical records, billing data, and appointment schedules. Ransom demands can be astronomical, some reaching seven figures.
A relatively new type of ransomware, LockerGoga, is now plaguing the industrial and manufacturing sector. Investigations reveal the threat actor delivers the malware by using phishing, password guessing, and brute fort attacks to gain Domain Administrator permissions and copies malware to a specific location to execute an attack and encrypt the files on every device that logs into the network. What sets LockerGoga apart from typical ransomware is that some variants include code that actually makes it harder for victims to pay a ransom by changing administrator passwords and logging users off using logoff.exe. This indicates LockerGoga’s objectives may include cyber sabotage of major industrial operations.
To date, there have been over five reported instances of LockerGoga attacks targeting the industrial and manufacturing sector. LockerGoga first was detected on January 24, 2019 when it was used to attack French engineering consultancy Altran Technologies. In response to the incident, the company issued a press release advising it “immediately shut down its IT network and all applications.” While Altran executives did not identify the attack as LockerGoga, some security experts said that evidence suggested LockerGoga was to blame.
On March 19, 2019, LockerGoga caused global aluminum producer Norsk Hydro, headquartered in Norway, to halt parts of its production operations in 160 of its plants in 40 countries. The company switched to manual operations and instructed its 35,000 employees to keep company computers turned off. While a ransom was demanded, Norsk Hydro said in a press conference it did not intend to pay. The company had backups in place and announced a week after the attack that most operations were running normally, with some manual processes, and with one business unit 70 to 80 percent operational. In a statement released on March 26, 2019, the company stated the estimated financial impact of the attack during the first week of the response was $35,000,000 to $41,000,000.
Since this attack, it is suspected LockerGoga was the culprit behind ransomware affecting two US-based chemical industry companies, Momentive and Hexion.
Business in limbo Depending on the level of protection a company has, any ransomware attack can impact business operations in a number of ways. In the best-case scenario, the company has a secure system backup in place that is not compromised by an attack. Costs may be limited to replacing the servers and software and restoring backup data. However, restoring backups can be a costly and time-consuming process.
For companies that have their systems and backups compromised, the outcome is much costlier. Such businesses may be forced to pay large ransom demands, retain forensics, and hire privacy counsel to ensure privacy laws are complied with. And the risks compound; privacy class action suits and government agency action could follow, driving costs up even more.