Fact sheet of LockerGoga ransomware which hit Norsk Hydro

298

Last week, Norway based Aluminum manufacturer Norsk Hydro was hit by a new variant of ransomware called LockerGoga. And as per the initial financial estimate, the ransomware is said to have caused a loss ranging between $30m to $40m for the Norwegian company which is now struggling to conduct automated operations in branches laid across Europe and North America.

While security researchers are still busy finding the notable features and capabilities of LockerGoga, a group of security analysts from noted Cybersecurity companies has come up with some facts related to LockerGoga Ransomware. And here’s a quick update on them-

LockerGoga has potential to change passwords- Some security researchers argue that the ransomware has the ability to change passwords of all local user accounts to “Huhuhuhoho283283@dJD” which later boots out local and remote users out of the system. But researchers from F-Secure say that the said malware has the potential only to change the admin account passwords and doesn’t interpret the admin passwords of local users.

Logs out victims- While earlier versions of the said ransomware have the capability to just encrypt files, the latest version of malware is said to have the potential to log out the victim out of an infected system and remove their noesis to log in back. Cisco Talos has also made this disclosure in its blog on a recent note.

LockerGoga disables the network- Researchers from ESET say that the said ransomware has the ability to locally disable all network interfaces to such an extent that it further isolates the affected computer and makes the recovery of the system too complicated necessitating manual intervention.

Doesn’t propagate- Since LockerGoga does not rely on a network, security researchers from Palo Alto Networks say that malware moves in the compromised network via server message protocol(SMB). So, the hackers need to manually copy the files from one system to another. However, this process might get enhanced in the future versions of the said malware.

Crafted for targeted victims- As LockerGoga doesn’t propagate on its own via a network, analysts say that the malware has been designed for targeted attacks. Also, the code of the malware is designed to evade sandboxes and machine learning tools which can make it hard to detect in the future.

LockerGoga or CryptoLocker- As LockerGoga uses Crypto++, an open source crypto library as a project folder name, Chris Elisan, the Director of Intelligence Flashpoint has come to an opinion that the authors of the said malware are trying to make it appear as a notorious CryptoLocker Ransomware which doesn’t decrypt the files due to buggy encryption even after receiving the ransom.