Spyware Stealer Locker Wiper - LockerGoga Revisited

LockerGoga emerged as a new ransomware variant in January 2019. Aside from a preference for industrial companies, little seemed to differentiate this from the ransomware ecosystem until a new version of LockerGoga crippled operations at multinational aluminum and power company Norsk Hydro in March 2019. At first, the event appeared to be a spectacular example of the disruptive power of ransomware - but further investigation and the release of additional details hint at a more complex story.

Almost immediately, analysis of likely LockerGoga samples associated with the Hydro event showed a much more disruptive item than past versions, including various steps to make even viewing ransom instructions difficult to impossible. Some wondered if this new variant of LockerGoga may be a wiper disguised as ransomware, similar to NotPetya. More mysterious still, LockerGoga apparently disappeared from active use after the Hydro event, with no publicly-known malware samples or incidents since. Subsequent reporting in Norwegian and English press added even more mystery, revealing Hydro as one part of a coordinated (but disrupted) event targeting multiple Norwegian entities, with initial access to Hydro gained through a complex supply-chain attack.

The oddities around the Hydro event and the associated LockerGoga variant represent a curious and concerning problem for network defenders: how can we differentiate between for-profit crimeware and likely state-directed disruptive activity? Do such distinctions matter for defenders? How can technical analysts leverage clues in malware and incident details to identify likely adversary intentions and purpose? This presentation will leverage all publicly-available data on the Norsk Hydro incident to explore these issues in detail. From this discussion, defenders will gain both better understanding of an extremely costly and disruptive incident, while also exploring threat intelligence, malware analysis, and incident review as a means to improve our understanding of attacker objectives, motives, and behaviors.

About the Speaker