19 – 26 March 2019
Norwegian firm Norsk Hydro, one of the world largest aluminium producer, suffered a ransomware attack that shut down its production facilities across the globe. The ransomware known as LockerGoga is a new encryption malware that is written in C++ and uses both AES and RSA 1024 to encrypt files. LockerGoga first surfaced in January 2019, hitting the network of a French engineering consultancy company, Altran Technologies. The malware appeared in the network after an employee in its Romania branch office opened a phishing email and the infection subsequently spread to offices in other countries. As LockerGoga does not have a built-in mechanism for spreading on a network, the attackers are likely to have leveraged on the domain controller to spread the infection. LockerGoga may also be responsible for the ransomware attacks at two US chemical companies, Hexion Inc. and Momentive Holdings. Both companies were forced to replace infected machines and switch to a new email domain to restore operation. As the initial infection vector remains unknown, organisations are advised to look out for potential ransomware attack that can come from phishing emails or poorly secured RDP and VPS access points. Additionally, placing a crafted .LNK file at the "Recent" folder can also stop certain variants from executing its encryption routine. The LNK file needs to contain an invalid network path and has no associated RPC endpoint to trigger an exception which the malware does not handle and causing the operating system to terminate the encryption process.
 Aluminium Giant Hydro Hit by Ransomware
 New LockerGoga Ransomware Allegedly Used in Altran Attack
 Hexion Inc. Addresses Network Security Incident
 Momentive Responds to Network Security Incident
 Halting the Lockergoga Ransomware