The LockerGoga Ransomware Attack: A worst-case scenario for industrial operations
Over the past decade, the corporate world has become familiar with ransomware attacks. Cyber attackers encrypt company’s systems and data until a bitcoin ransom is paid. Upon payment, the attackers release a decryption key that allows the company to regain access to their data and go about the business of recovery and remediation. Attackers do not discriminate between sectors and failure to pay can lead to disastrous consequences – as just one of many examples, the first known closure of a healthcare provider resulting from a ransomware attack recently occurred on April 6, 2019 after a ransomware erased a Michigan medical practice’s medical records, billing data, and appointment schedules. Ransom demands can be astronomical, some reaching seven figures.
A relatively new type of ransomware, LockerGoga, is now plaguing the industrial and manufacturing sector. Investigations reveal the threat actor delivers the malware by using phishing, password guessing, and brute fort attacks to gain Domain Administrator permissions and copies malware to a specific location to execute an attack and encrypt the files on every device that logs into the network. What sets LockerGoga apart from typical ransomware is that some variants include code that actually makes it harder for victims to pay a ransom by changing administrator passwords and logging users off using logoff.exe. This indicates LockerGoga’s objectives may include cyber sabotage of major industrial operations.
To date, there have been over five reported instances of LockerGoga attacks targeting the industrial and manufacturing sector. LockerGoga first was detected on January 24, 2019 when it was used to attack French engineering consultancy Altran Technologies. In response to the incident, the company issued a press release advising it “immediately shut down its IT network and all applications.” While Altran executives did not identify the attack as LockerGoga, some security experts said that evidence suggested LockerGoga was to blame.
On March 19, 2019, LockerGoga caused global aluminum producer Norsk Hydro, headquartered in Norway, to halt parts of its production operations in 160 of its plants in 40 countries. The company switched to manual operations and instructed its 35,000 employees to keep company computers turned off. While a ransom was demanded, Norsk Hydro said in a press conference it did not intend to pay. The company had backups in place and announced a week after the attack that most operations were running normally, with some manual processes, and with one business unit 70 to 80 percent operational. In a statement released on March 26, 2019, the company stated the estimated financial impact of the attack during the first week of the response was $35,000,000 to $41,000,000.
Since this attack, it is suspected LockerGoga was the culprit behind ransomware affecting two US-based chemical industry companies, Momentive and Hexion.
Business in limbo
Depending on the level of protection a company has, any ransomware attack can impact business operations in a number of ways. In the best-case scenario, the company has a secure system backup in place that is not compromised by an attack. Costs may be limited to replacing the servers and software and restoring backup data. However, restoring backups can be a costly and time-consuming process.
For companies that have their systems and backups compromised, the outcome is much costlier. Such businesses may be forced to pay large ransom demands, retain forensics, and hire privacy counsel to ensure privacy laws are complied with. And the risks compound; privacy class action suits and government agency action could follow, driving costs up even more.
" While attacks cannot be avoided entirely, their impact can be significantly decreased.
Shutting the door to attacks
These are expenses that can be driven down by putting proper protections in place. For industrial firms, manufacturing operations — or any business for that matter — shoring up cyber security measures is critical. While attacks cannot be avoided entirely, their impact can be significantly decreased.
Some recommendations to consider:
- Investigate before an event occurs. Have systems reviewed by a forensics investigator for potential vulnerabilities. Then address the vulnerabilities as soon as possible.
- Conduct tabletop exercises. Work with privacy counsel to establish what steps to take should an incident occur. Who will be notified? Who is in charge of that notification?
- Test your and your carrier’s breach response readiness. Call your carrier’s data breach hotline to see how long it takes to get a response as an integral part of your breach response planning.
- Review policy language. Understand what your reporting and pre-planning responsibilities are. Some policies require that all forensics and privacy counsel teams be pre-approved. Understand when, and how to report any incidents to your insurance carrier.
- Partner with the right insurance company. Work with an insurance carrier that has deep expertise in handling cyber-related security issues. Your carrier should have a dedicated team of privacy counsel and forensics investigators to help you identify and fix vulnerabilities and prepare for any potential attack.
Whether it’s today’s LockerGoga vulnerability or a future mode of attack, your company’s operations depend on not just a swift response, but a strong defense against breaches. Make sure you’re prepared – create a proactive plan to regularly address and protect your business from ransomware attacks.
Your company should conduct an investigation on its systems and practices long before a ransomware event occurs. That includes understanding what the current process is for investigations, who to call first, and what your responsibilities are.
It includes also knowing how your insurance carrier will respond, and what your reporting and preventative responsibilities are. Work with your carrier to put proper preventions in place, and to tailor your insurance to match those risks your company cannot otherwise mitigate.
Tara Nayak is a Claims Specialist in AXA XL’s North America Cyber & Technology insurance business. She can be reached at email@example.com.