Aluminum giant Norsk Hydro was recently hit by LockerGoga Ransomware. The attack that appeared to have distributed ransomware to endpoints by using the company's own Active Directory services against it.
What is LockerGoga?
LockerGoga is a malicious ransomware program that was made to encrypt data stored on computers and to blackmail users by demanding ransom payments in return for decryption tools.
LockerGoga was recently detected by Norsk Hydro, across several international systems. Norsk Hydro is one of the largest aluminum producers of the world.
Files locked by LockerGoga
To each encrypted file LockerGoga adds the ".locked!?" or ".locked" extension. A "1.pdf" file for example becomes "1.pdf.locked!?" or "1.pdf.locked". It also generates the "README-NOW.txt" file, which contains a ransom-demand message.
The README file states that they have exploited a significant flaw in the system's security and encrypted all data using RSA-4096 and AES-256 cryptography algorithms.
As 'proof' that they can be trusted and have a tool capable of decryption, they invite victims to send two or three files for free decryption. This should be done by sending the files to the email addresses mentioned.
Detecting and resolving LockerGoga Ransomware
LockerGoga is identical to another ransomware-type program called CottleAkela, however, there are many other similar examples such as Gorgon, GEFEST 3.0, and so on. Virus Total's dashboard shows that 19 hours of after scanning the first reported sample of LockerGoga, only 25 security vendors out of the 69 submitted samples, deemed it as ‘malicious’.
Most computer infections of this type have two main factors in common: they are used to encrypt data and attempt to blackmail people (make ransom demands). Common variables are cost of decryption tool and cryptography algorithm used for encryption. Unfortunately, cyber criminals typically use cryptographies that use unique keys to encrypt files, so it is impossible to decrypt them without using a specific decryption tool.
Avoiding data or financial loss caused by LockerGoga
To avoid data/financial loss, we recommend that you create regular backups and store them on a remote server or unplugged storage device.
While 100% prevention is yet to be achieved, you can however start today by fortifying your defences with the basic cyber security hygiene, as explained in Kunal Biswas's expert blog on LockerGoga ransomware.
Help or support on LockerGoga Ransomware
We at Infradata can help you with our cyber security assessment, where we give many industry vertical examples to learn from. Throughout our Cyber Security services and solutions, our cyber security experts employ tried and tested techniques, industry best practices and the best of commercial and proprietary technologies to identify, monitor, and analyze information-related vulnerabilities effectively, and to help determine methods to manage or resolve data security risks such as LockerGoga Ransomware.