Industrial Firms hit by LockerGoga Ransomware.

News that do not fit in elswhere

Moderators: b1o, jkerr82508

User avatar
Posts: 9329
Joined: 14 Mar 2010, 16:34

Industrial Firms hit by LockerGoga Ransomware.

Postby viking60 » 27 Mar 2019, 13:41

Norsk Hydro is an Aluminium gigant that has been completely shut down by what they call a severe cyber attack. They are the last of five Industrial companies that have been targeted and the Ransom ware targets systems that control the machines.

The others are Altran, Hexion and Momentive and there are more but they do not want to become famous for this or will not be mentioned for security reasons.

This attack could be potentially dangerous for both machines and personnel so Hydro shut down their computers and ran the production manually.

So far this has cost them about 35 Million Euro! So in terms money this is severe.

For this attack to work it needs a Windows system:

It's not clear how the LockerGoga hackers are gaining initial access to victim networks in those targeted cases, but Carmakal has found that they seem to already know targets' credentials at the start of an intrusion, perhaps thanks to phishing attacks or by simply buying them from other hackers. Once the intruders have an initial foothold, they use the common hacking toolkits Metasploit and Cobalt Strike to move to other computers on the network and also exploit the program Mimikatz, which can pull traces of passwords out of the memory of Windows machines and allow them to gain access to more privileged accounts.

Once the privileges of Windows are gathered the encryption can follow. For this they need the domain admin credentials.

They use the Microsoft's Active Directory management tools to plant their ransomware payload on target machines across the victim's systems. For this they use a false certificate.

This will make the system toast within minutes and you will find a README file that states:
Greetings! There was a significant flaw in the security system of your company, You should be thankful the flaw was exploited by serious people and not by some rookies. They would have damaged all your data by mistake or for fun.

It is debatable how serious these people are because they destroy the computers to a degree that it will be hard to even pay ransom.

There is however good reason to believe the first part of the message. There must have been a significant flaw in the security system...besides Windows +1

It seems very much safer to use a Linux network and Linux servers...and Linux desktops. :tux5:

More here
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

Return to “General News”