The latest victim of last week’s massive ransomware attack, Norwegian industrial giant Norsk Hydro, is beginning to recover. But it won’t come cheap. The company estimates the cost of the ransomware attack at $40 million.
The name of this latest attack? LockerGoga.
The ransomware infected multiple systems across Norsk Hydro and impacted operations across numerous areas. It also appears to be a rude awakening for the manufacturer since its production environments were impacted to the point its factories were forced to halt production and switch to manual operations.
Fortunately as of Tuesday, the company said it had begun recovery efforts with most operations running normally again. Per Computing UK, Norsk Hydro is now "gradually restoring IT systems in a safe and secure manner to ensure progress toward normal business" and is limiting the impact for people, operations, customers, suppliers and other partners."
Two chemical makers were also impacted by last week’s LockerGoga attack. Hexion and Momentive, which make resins, silicones and other materials; both suffered global IT outages according to Motherboard.
Hexion circulated a press release on March 22 discussing the incident and how the company is moving ahead with its recovery plan. It is also working with customers and suppliers to minimize disruption.
Why this ransomware attack is different
LockerGoga is unusual in that in addition to ransomware’s usual path of destruction, it also disables a computer network’s adapter to disconnect it from a network. It then changes the user and admin passwords and logs the machine off. Per TrendMicro, LockerGoga relocates itself into a temp folder then renames itself using the command line (cmd). The command-line parameter used does not contain the file paths of the files targeted for encryption. In some cases the victims can’t see the ransomware message, making them unaware they have been attacked.
Additional analysis by Trend Micro indicated that LockerGoga, by itself, doesn’t appear to have the capability to propagate like previous attacks such as WannaCry or Petya/NotPetya (more on these attacks below). Trend Micro’s Static analysis also revealed that LockerGoga enumerates the infected system’s Wi-Fi and/or Ethernet network adapters. It will then attempt to disable them through the CreateProcessW function via command line (netsh.exe interface set interface DISABLE) to disconnect the system from any outside connection. LockerGoga runs this routine after its encryption process but before it logs out of the current account. This is a notable behavior. Its file encryption routine could be considered less consequential since LockerGoga already locks the user out of the system by changing the accounts’ passwords.
Manufacturers becoming a favorite target
The last few years have seen a steady increase in attacks on manufacturers of all kinds, including some of the world’s most well-known companies. In 2017, Nissan, Renault and Merck were all targets of ransomware campaigns such as WannaCry and NotPetya. The attacks resulted in damages in the hundreds of millions of dollars.
Last year the campaigns intensified but also expanded to the mobile industry, this time with iPhone chip manufacturer TSMC getting hit by a WannaCry variant. That caused downtime and damages estimated at $250 million. Not only was the amount staggering, but TSMC was not even considered to be the main target, yet due to IT oversights such as unpatched Windows systems, the hackers found a way in. (Don’t ignore Patch Tuesday, people!)
Industry observers say that ransomware attacks such as LockerGoga could significantly impact industrial controls, and not in a good way. According to an expert in this Wired article, "You typically don't test these systems in a situation where your ability to control or monitor them is taken away from you. If anything changes, you're unable to react to it, and any situation that develops can become a crisis very quickly."
The story goes on to describe a 2014 incident at a still-unnamed German steel mill that was hit by a group of unknown hackers. The attack caused massive damage after the plant operators were unable to shut down a blast furnace.
Hackers are always finding creative new ways to wreak havoc. Manufacturers are going to need to work with experienced cybersecurity companies with industrial experience to prevent the worst from happening, especially where internet-connected devices come into play.
GlobalSign’s IoT team is working with more and more industrial players to secure their device endpoints. To learn more about our IoT and IIoT products and solutions, visit https://www.globalsign.com/en/internet-of-things/.