The skinny on LockerGoga, a terrifying new ransomware variant

We’ve seen all manner of ransomware in the last decade. From innocuous varieties to the devastating ones, ransomware is one of the largest (and growing) threat vectors for cybersecurity teams (or managed service providers if you outsource that sort of thing). One of the newest iterations on the scene, with a terrifying wrinkle, is called ‘LockerGoga’ — here’s what it is, what it does, and what you should do to protect yourself.

LockerGoga primer

The Center for Internet Security describes LockerGoga as having “disruptive effects on industrial and manufacturing firms’ networks” and affecting such players as the “Norwegian aluminum manufacturer Norsk Hydro, French engineering consulting firm Altran, and U.S. chemical companies Hexion and MPM Holdings (Momentive).”

According to Wired, security researchers say the “most recently discovered strain of the malware is particularly disruptive, shutting down computers entirely, locking out their users, and rendering it difficult for victims to even pay the ransom. The result is a dangerous combination: reckless hacking that targets a set of companies that are highly incentivized to quickly pay the ransom, but also ones where a cyberattack could wind up physically harming equipment or even a factory’s staff.”

The ransomware allegedly does not target or infect industrial control systems, but its “debilitating effects on the business and production networks tied to these industrial systems result in costly production downtime. In the Norsk Hydro case, this involved temporarily moving to manual production”, according to the CIS report.

So how does the attack work? According to the Wired analysis, after the hackers “obtain a network’s highest privilege “domain admin” credentials, they use Microsoft’s Active Directory management tools to plant their ransomware payload on target machines across the victim’s systems. That code, [Chris] Carmakal [of FireEye security] says, is signed with stolen certificates that make it look more legitimate. And before running their encryption code, the hackers use a “task kill” command on target machines to disable their antivirus. Both of those measures have made antivirus particularly ineffective against the subsequent infections, he says. LockerGoga then rapidly encrypts the computer’s files. “On an average system within a few minutes, it is toast,” wrote Kevin Beaumont, a UK security researcher, in an analysis of the Norsk Hydro attack.”

But it doesn’t end there, unfortunately. LockerGoga attacks have developed a new terrifying wrinkle: “It also disables the computer’s network adapter to disconnect it from the network, changes the user and admin passwords on the computer, and logs the machine off … but unlike more typical ransomware, the victim often can’t even see the ransom message. In some cases, they may not even know that they’ve been hit with ransomware, delaying their ability to recover their systems or pay the extortionists, and causing even greater disruptions to their network.”

So… LockerGoga isn’t exactly swell for the afflicted. So what can we do to protect and prevent healthy systems from succumbing to its ravages?

How to protect or recover from LockerGoga

At the base level, the CIS identifies the most important “proactive step an organization can take for ransomware is the ability to recover from their backups. Use a backup system that allows multiple iterations of the backups to be saved and stored offline, in case the backups include encrypted or infected files. Routinely test backups for data integrity and to ensure you can recover from them.”

Additionally, ICS has some standard recommendations on how to combat ransomware:

  • Keep all systems patched, including all hardware, including mobile devices, operating systems, software, and applications, including cloud locations and content management systems (CMS), patched and up-to-date. Use a centralized patch management system if possible.
  • Implement application white-listing and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.
  • Disable macro scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.
  • Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.
  • Restrict Internet access. Use a proxy server for Internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.

As we see more and more types of ransomware come onto the scene, it becomes ever more important to ensure you’re prepared and protected. For a lot of large firms, they have large security apparatuses tending to that. But for small to middle-sized firms, it generally makes more sense to partner with a managed service provider to see to these types of threats — that’s precisely why we’re here. If you have any questions or concerns about ransomware, beyond just LockerGoga, be sure to reach out — we’d love to help in any way we can.