Tue. Oct 27th, 2020

What We Know About Hydro LockerGoga Ransomware Attack

Aluminum giant Norsk Hydro has been hit by an attack that appears to have distributed ransomware to endpoints by using the company’s own Active Directory services against it.
The strain of ransomware used against Hydro, called LockerGoga, is used in highly targeted attacks and in January was used to extort a French engineering firm.  Oslo-based Hydro, which is Norway’s second-largest employer, says the attack began Monday at a U.S. plant and spread to some of the other facilities it operates across 50 countries before being contained.

On Wednesday, Hydro said it is still creating a recovery plan and as yet has no solid timeline for when it might be able to restore all affected systems.  “Hydro’s technical team, with external support, has succeeded in detecting the root cause of the problems and is currently working to validate the plan and process to restart the company’s IT systems in a safe and sound manner,” Hydro said in a statement on Wednesday. “However, it is still not clear how long it might take restore stable IT operations.”

“Let me be clear: The situation for Hydro is quite severe,” Hydro CFO Eivind Kallevik told reporters at a Tuesday press briefing. But he emphasized that the company is planning to restore all affected systems from backups, rather than paying any ransom.

‘Root Cause’?

It’s unknown at the moment, but David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements, has called on Hydro to publicly detail the “root cause” of the attack as quickly as possible, to help safeguard other potential victims.

“If this root cause includes identification of the method used to introduce the malicious code – either through end-user device comprise or remote access to servers – it would be great for the wider community if Hydro could share this information at an early stage,” Stubley tells Information Security Media Group. “By doing so, other organizations could take proactive steps to learn from this incident and avoid being subjected to similar attack.”

What Is LockerGoga?

Multiple security experts have said that LockerGoga was previously used against Paris-based Altran in January. After it was hit, Altran said in a statement: “To protect our clients, employees and partners, we immediately shut down our IT network and all applications.”  Based on an analysis shared by the security researcher known as Valthek, LockerGogo’s code was “sloppy, slow, and made no effort to evade detection.”  MalwreHunterTeam on Tuesday reported that they’d found a new sample of LockerGogo that was uploaded to malware-identification service VirusTotal from a system in Oslo.

Targeted Extortion

Typically LockerGogo is only used by attackers as part of one-off attacks.  It does not have a ‘spreader’ and it’s not like WannaCry or NotPetya. It has to be deployed by an attacker who already has admin access.  Attackers can gain admin access to sites in a variety of ways. One common approach is to purchase stolen or brute-forced remote desktop protocol credentials from cybercrime markets. Using RDP gives attackers remote access to an organization’s network, which they may spend weeks or months studying and raiding for sensitive data, before finishing with a ransomware to try and further monetize their efforts.  Many attacks appear to involve one group raiding an organization for intellectual property, then selling access to less-skilled attackers who deploy ransomware.


Hydro’s website remained unavailable on Tuesday. By Wednesday, it had been updated with a placeholder, suggesting that the company’s IT department had at least regained control of those servers, if not yet restored the underlying systems.  In the interim, Hydro has been issuing updates via it Facebook page.