Spyware Stealer Locker Wiper - LockerGoga Revisited

LockerGoga emerged as a new ransomware variant in January 2019. Aside from a preference for industrial companies, little seemed to differentiate this from the ransomware ecosystem until a new version of LockerGoga crippled operations at multinational aluminum and power company Norsk Hydro in March 2019. At first, the event appeared to be a spectacular example of the disruptive power of ransomware - but further investigation and the release of additional details hint at a more complex story.

Almost immediately, analysis of likely LockerGoga samples associated with the Hydro event showed a much more disruptive item than past versions, including various steps to make even viewing ransom instructions difficult to impossible. Some wondered if this new variant of LockerGoga may be a wiper disguised as ransomware, similar to NotPetya. More mysterious still, LockerGoga apparently disappeared from active use after the Hydro event, with no publicly-known malware samples or incidents since. Subsequent reporting in Norwegian and English press added even more mystery, revealing Hydro as one part of a coordinated (but disrupted) event targeting multiple Norwegian entities, with initial access to Hydro gained through a complex supply-chain attack.

The oddities around the Hydro event and the associated LockerGoga variant represent a curious and concerning problem for network defenders: how can we differentiate between for-profit crimeware and likely state-directed disruptive activity? Do such distinctions matter for defenders? How can technical analysts leverage clues in malware and incident details to identify likely adversary intentions and purpose? This presentation will leverage all publicly-available data on the Norsk Hydro incident to explore these issues in detail. From this discussion, defenders will gain both better understanding of an extremely costly and disruptive incident, while also exploring threat intelligence, malware analysis, and incident review as a means to improve our understanding of attacker objectives, motives, and behaviors.

Understanding an incident - especially a significantly disruptive, large-scale event such as the March 2019 Norsk Hydro event - requires more than just looking at malware in isolation or remediating machines. By investigating further - even using only publicly-available information - network defenders can gain a greater understanding of the motivations and objectives behind an incident, and the implications these have for how an event unfolded and how best to respond.

Revisiting the Norsk Hydro incident, many aspects of this event start looking less like a common ransomware event and more like a meticulously planned disruptive event targeting multiple entities within a single country. By combining technical analysis with threat intelligence, incident review, and an understanding of the environment in which the event took place, we can begin unearthing more interesting - and potentially disturbing - details that reveal a far more complex event than a spectacular criminal ransomware event.

Using publicly available information, this discussion will walk through all known elements of the Norsk Hydro event and present evidence for looking at the incident as a state-directed disruptive event. While this cannot be proven, the uncertainty within this event is significant for defenders, as the relevant responses, defenses, and preparations for criminal actions and state-directed disruption can differ dramatically. Gaining an understanding of events will enable defenders to better grasp an increasingly hostile threat landscape, and learn the implications of such activity for daily defensive operations.

About the Speaker