It has recently been reported that a new breed of ransomware is infecting industrial networks and forcing ICS organizations to switch from digital to manual operations. The malware ‘LockerGoga’ has, within the past few weeks, infiltrated Norwegian aluminum Manufacturer Norsk Hydro. Because of this incident, the organization was forced to execute their business continuity and cybersecurity incident response plans.
In recent history, LockerGoga has hit two other manufacturing companies, Hexion and Momentive. For Momentive, LockerGoga led to a global IT outage that left the company to decommission their infrastructure and start anew.
According to a FireEye report, a new strain of LockerGoga has been forcing systems to shut down entirely, locking user accounts, and making it difficult for organizations to pay the ransom. It is not yet known how attackers are gaining access to the victims’ networks, but evidence shows that their targets’ credentials were known prior to the intrusion.
Anatomy of An ICS Attack
Attackers may be utilizing phishing attacks to gather credentials in a campaign prior to accessing the victim’s network. Once they have access, they use common, open–source tools like Metasploit and Cobalt Strike to move laterally throughout the network. While moving towards the ICS layer of the network, password scrapers like Mimikatz are being used to extract cleartext and hashed passwords from memory to gain escalated system privileges.
After they have attained Domain Administrator – the highest privilege for network users – they utilize Microsoft Active Directory tools to deploy their ransomware on target machines. Payloads are then signed to appear legitimate prior to execution of the code used that encrypts files, blocking an organization from access unless they pay up. The hackers are also killing processes to forcibly disable antivirus on the target machines.
The newest strain of LockerGoga has been disabling network adapters attached to organizational computers, removing them from the network. This forces the system to cease any communication, causing widespread network disruptions.
A New Breed
It’s worth noting that LockerGoga is different from previous ransomware that have affected ICS systems. NotPetya utilized fewer extreme methods of disrupting operational processes. NotPetya did showcase that malware could be created to migrate laterally through the network autonomously.
Although, LockerGoga has some manual direction from the attackers, it is more precisely targeted than NotPeya. Crucially, this attack is not limited to ICS organizations: it is also infecting other industries through crimes of opportunity. Any networks that have publicly exploitable vulnerabilities may end up as victims.
Norsk Hydro fell victim to LockerGoga, but never included Cybersecurity Incident Response Plan in their Business Continuity Plan. This leading them to have a longer recovery time because they were unsure how to proceed. Organizations should include CIRP in their BCP and plan to undergo routine vulnerability assessments/penetration tests of both their IT and ICS networks. If you fail to plan, then you plan to fail.
Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.
Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!