Metal firm Hydro plans recovery from ransomware that could be wiper malware

  • Liam Tung (CSO Online)
  • 21 March, 2019 08:13

Aluminium manufacturer Norsk Hydro claims to have found the “root cause” of the global IT outage due to a cyberattack believed to have been caused by LockerGoga, a strain of ransomware that displays some very unusual behaviours, according to Cisco’s Talos Intelligence researchers.  

Hydro’s worldwide IT network was paralyzed on Tuesday by the attack that started in one of its US operations and forced the company to print out lists to continue delivering orders of its aluminium-based products and components to customers around the world. 

The company still cannot connect to the production systems in its rolled products unit but it expected to resume some systems during Wednesday to enable customer deliveries, according to Hydro’s latest update on Wednesday. 

It’s also operating with a “higher degree of manual operation” for extruded solutions, which is still experiencing stoppages at several plants because it can’t connect to production systems.       

The company, which employs 35,000 people across 40 countries, said on Wednesday that it doesn’t have a timeline to full recovery of IT operations, nor an estimate of the financial impact of the cyber attack. 

Hydro's CFO Eivind Kallevik said at a press conference on Tuesday that the company did have cyber insurance and, when asked whether it would pay a ransom, said Hydro intended to rely on backups of its data to restore IT systems. 

Norway’s official cyber security authorities confirmed to media on Tuesday that Hydro was infected by LockerGoga, a relatively new strain of ransomware. 

LockerGoga is an odd example of ransomware, according to researchers at Cisco’s Talos Intelligence group who have analyzed several samples of it. 

First, it’s not clear yet whether LockerGoga is actual ransomware like SamSam and many other examples of sophisticated for-profit ransomware; or if, like NotPetya and WannaCry it is a data-wiper dressed up as ransomware, designed to destroy a victim’s digital assets whether or not a victim follows suggested instructions to pay a ransom. 

Talos researchers conclude, based on examinations of several samples of LockerGoga, that it “straddles the line” between ransomware and a straight-up data wiper like the Destover trojan that destroyed Sony Pictures Entertainment's data and master boot records in 2014.    

NotPetya, which caused over $1 billion in losses to affected organizations in 2017, including Danish shipping giant, Maersk, masqueraded as ransomware but in fact offered no recovery option for encrypted files. 

And fortunately, unlike NotPetya, LockerGoga is not a worm. “Talos has observed no evidence to suggest that LockerGoga has the ability to self propagate across hosts on a network where an infection has taken place,” Talos researcher Nick Biasini wrote.

Talos found that several samples of LockerGoga users signed certificates in a bid to avoid detection by antivirus. The malware executable is copied to the infected machine’s %TEMP% directory and then often attempts to clear the Windows Event Logs before creating a ransom note and starting to encrypt files. 

The malware deletes original files as they’re encrypted and replaces them files stored with the "*.LOCKED" file extension. 

Two unusual characteristics are that it even encrypts files in the victim’s Recycle Bin, and rather inefficiently appears to encrypt files individually.  

The ransom note is left on the victim’s desktop in a file called "README_LOCKED.txt." but a sample Cisco analysed in January was called "README-NOW.txt." 

The ransom note does not specify an amount to be paid, only leaving an email address where the price of the decoder can be obtained and a warning that “the final price depends on how fast you contact us”. 

This is also uncommon to other recent sophisticated ransomware variants that employ ransom notes with instructions on how to pay a ransom. 

Talos has provided a list of the indictors of compromise and email addresses use to reach the attackers in its blogpost about its preliminary investigation.