How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business

Hydro posted notices at their 40 offices and manufacturing facilities across the world asking staff to disconnect their devices from local networks, and the recovery effort began.

They informed stock markets they were moving to ‘manual production’, which means they would operate factories without modern IT.

Each local factory manager was tasked with maintaining customer orders - for example, some operated from pre-printed list of orders.

For communication, Norsk Hydro ASA uses Office365, which was completely unimpacted -so staff could still communicate with each other, the press and customers using mobile phones and tables. Had Hydro not already moved communications to a managed cloud service, the situation would have been more grave.

For communication with the outside world they used their Facebook account, and redirected to an Azure temporary website:

This website has since been moved to behind Cloudflare, a managed DDoS protection provider.

Incident representation

Hydro started the best incident representation response plan I’ve ever seen - they had a temporary website up, they told the press, they told their staff, they apparently didn’t hide any details - they even had daily webcasts with the most senior staff talking through what was happening, and answering questions. On the 2nd day they even took questions from webcast watchers.

In contrast to some other incidents, their stock price actually went up - despite a difficult trading period for past 2 years involving some major business setbacks, they have actually gained in value.

Incident response

Hydro’s website says they have flown in staff from Microsoft and unnamed companies to help them recover. They have also engaged with national cybercrime bodies, industry groups and police authorities. The incident is now a police investigation.

Their CFO says they have backups of data which they are attempting to restore, and they have not paid a ransom.

They say it is unknown how long recovery will take, although in an interview with a Norwegian news organisation the CIO says full recovery will take months.

Hydro have provided videos about their recovery efforts:

What went wrong?

Security controls and industry

Several weeks ago, I highlighted on Twitter that despite a high profile attack on Altran in January (34,000 staff members) using LockerGoga, a vast majority of endpoint security anti-malware products were failing to detect it. I highlighted this because @malwrhunterteam on Twitter sent me a message saying ‘look at this and the poor detection’:

As you can see above the detection rate was 0 out of 67 anti-virus engines. Now, before vendors get annoyed, I am well aware that VirusTotal results don’t tell the full story - however having zero detection from any engine is an extremely bad sign. I actually detonated the ransomware myself on several real world endpoints (in isolated fashion - as you’ll learn later it doesn’t self replicate too) and I couldn’t find an endpoint security tool which actually triggered a detection (although Cisco’s ThreatGrid sandbox technology did classify it as Generic Ransomware).

I used that Twitter thread to pressure several anti-malware producers into action, DMing staff I knew at said companies to get them to take a look.

I found a few more samples in VirusTotal, clearly still in development - those, too, had little to no detection. I sent them on informally.

After the Altran attack, which downed systems at a 34,000 employee company, only a handful of dialogue happened in the industry - I can only find one news article which actually mentions LockerGoga, for example, and little to no technical detail.

As far as I’m aware there is not any centralised way to contact everybody in antivirus industry on international interest, so I completely forgot about it a few people in, and went to watch Captain Marvel instead.

Essentially, Norsk Hydro’s anti-malware solution did not have detection for the threat because not all the industry players were paying attention to a cartoon porg on Twitter (me) and a random person who I think doesn’t work in the industry (MalwareHunterTeam).

I’m not saying that’s how the industry should work, by the way, and I know it sounds self aggrandising - but I’m trying to make the point that maybe, as an industry, we’re really good at hyping threats in the media which are not practical in the real world and not great at looking at all the real world, actual attack data.

While we may be sharing Indicators of Compromise - IoCs - a long list of meaningless hashes aren’t enough to protect people. The cyber security industry and partners missed a trick here, as we knew a major company had been attacked in a meaningful way, but it wasn’t followed up.

Additionally, the digital certificate being used to sign the ransomware was used to sign other malicious code - in fact it had only been used to sign malicious code - and had been issued to a company with £1 of assets which wasn’t even a trading company. Upon being informed of this, the Certificate Authority failed to revoke the certificate in a timely manner - a continuing issue with the same Certificate Authority, which is trusted by all Windows certificate stores. To compound the issue even when revoked a vast majority of security tools fail to do anything, as they do not retrieve the CRL and check the serial number for revocation. All security and technology should immediately block or flag code signed with specifically distrusted certificates. Essentially, there are cascading failures in the technology and security industry to protect customers.

Another element - some LockerGoga deployments stop endpoint security products (and backup products) before further deployment:


Article by channel:

Read more articles tagged: Ransomware