By Roshan Pokhrel, Associate Engineering Manager, LogPoint

After rearing its ugly head in early 2019 by attacking French consulting firm Altran Technologies, LockerGoga ransomware strikes again! This time the unfortunate victim is Norsk Hydro, Scandinavia’s largest and internationally renowned producer of aluminium.

Eivind Kallevik, CFO of Norsk Hydro, stated that internal IT detected the attack had affected computer systems in multiple business areas at around 12AM CET on Monday. He also went on to assure the public that despite the disruption, Norsk Hydro employees and civilians were not targeted in anyway by this attack.

LockerGoga shows similarities to other recent large scale ransomware attacks such as CottleAkela or Gorgon. These malware are designed to access and encrypt sensitive user data on infected devices by either sending out malicious emails or using other forms of social engineering to trick victims into downloading a malicious file or accessing a link prompting the automatic download of said file and/or using exploit kits.

Once the victim is lured into opening the malicious attachment, the ransomware encrypts the files by using AES or a similar algorithm. In the case of LockerGoga, the attackers used the RSA- 4096 and AES-256 cryptography algorithms with the following attachment:

  • .locked!?”
  • “.locked”

A README-NOW.txt noted:

LockerGaga Ransomware README

In the case of LockerGoga, the targeted file extensions included: pdf, .ppt, .pot, .potx, .ppsx, .sldx, .doc, .dot, .dotx, .docb, .xlm, .xlsx, .xltx, .pps, .pptx, .xlsb, .xlw, and .wbk.

How does LogPoint SIEM detect ransomware?

LogPoint LockerGoga malware application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoC’s required to run the application are as follows:

Indicator of Compromise

The red flags indicating that your system might have been compromised.

Hash

MD5SHA1SHA256File NameMalware Category
12bd24204750964b342f3ef941d693503d1c0138baa345a8d912cc4519d10e0bde3f1d0590e874661b6bc116f18230dd6b50f792a944f4ba8e3f58edf1f128517ce8d44eeransomware.rarTrojan
2a5bc1f94e7505a2e73c866551f7996f97dea7ff735023418b902d093964028aefbc486a514e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077caworker32Trojan
3d5a740b43e0b8487b475367ebffa9a78d7760deb9b0b5647b3b297cda7533b7c3f0fd03539e298627215ed3bed76686f52eb741335195c2cd09b69181892b4fa9f53f514READ-ME-NOW.txtWin32.Outbreak
4faf4de4e1c5d8e4241088c90cfe8edddfcd241fdcd462199f2907ca34c73ce9c89b03e5f47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4hvwfcskyTrojan
59cad8641ac79688e09c5fa350aef20943da0a217bbda09561780f52f163a6aafeb721d605b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225cworker32Trojan
63ebca21b1d4e2f482b3eda6634e8921137cdd1e3225f8da596dc13779e902d8d136373606e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77worker32Trojan
7b3d3da12ca3b9efd042953caa6c3b8cd34fb03a35e723d27e99776ed3e81967229b3afe17852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125pchgdageTrojan
8443877e0b82c08089d5e428180f2b0d826d96eb7390fc9565a3016e907840e263380b3017a059301a1c6198bb3a2cb2ae8cd358486f806ea1b202c4ca8613846a9c3cc64pchgdageTrojan
97e3f8b6b7ac0565bfcbf0a1e3e6fcfbcb2a701225c8c7f839be3c5009d52b4421063d93e7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26zzbdrimpTrojan
10c2da604a2a469b1075e20c5a52ad3317442ed0cac2abe062d8e630f3ece803af687751db88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0ftgytutrcTrojan
11164f72dfb729ca1e15f99d456b7cf811f92339e73c7e901c0c852d8e65615cfb588a4ff68cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29worker32Trojan
1219a5358eff7d8e0bf1c38a8cd4f85a53baa9f65be5177d1af5c5e8e822d756c799bb03ae9128e1c56463b3ce7d4578ef14ccdfdba15ccc2d73545cb541ea3e80344b173csvchost.exeTrojan/Suspicious
13a52f26575556d3c4eccd3b51265cb4e661fdebb3c9dfa880b54e82579256acfcd4d6d40697a2ab7a94148d605f3c0a1146a70ba5c436a438b23298a1f02f71866f420c43CryptoLockerTrojan
14ba53d8910ec3e46864c3c86ebd628796d1c2dfedc602f5d5f2036b0ba5541cac8f8b4b95a84171501074bac584348f2942964c8550374c39247ec6af0f4a69756ea9fc7aCryptoLockerTrojan
15cf3282d6ad1dce954e472722979f3bdea2a9501fe1c525702ec428b8c4aa35be954424b6b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7CryptoLockerTrojan
162e2e4988a49f8b22d5909cf1964851cbcd3f6121705a3df9156d823b7da34c4745588ac5b8dedd74f8f474c97d53d313eb5a61d09fc020e91aa09c36711bac5cc123b6d7README-NOW.txtTrojan-Ransom.LockerGoga
172e2e4988a49f8b22d5909cf1964851cbcd3f6121705a3df9156d823b7da34c4745588ac5b8dedd74f8f474c97d53d313eb5a61d09fc020e91aa09c36711bac5cc123b6d7README-NOW.txtTrojan-Ransom.LockerGoga
1852340664fe59e030790c48b66924b5bd73171ffa6dfee5f9264e3d20a1b6926ec1b60897bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268fworker32Trojan
194da135516f3da1c6ca04d17f83b99e65127b2c4403995d35622487bd250d673d74b613b9bef41d3c76aa98e774ca0185eb5d37da7bf128e3d855ebc699fed90f3988c7d3svch0st.4553.7zTrojan
20a1d732aa27e1ca2ae45a189451419ed550f5a5ec13d21d4df119140547d63bc40f93b079c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843aTrojan
21174e3d9c7b0380dd7576187c715c468131fbfe814628db3b459ddc87bf5ed538700db17ac7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4CryptoLockerTrojan
22e11502659f6b5c5bd9f78f534bc38feab5fd5c913de8cbb8565d3c7c67c0fbaa4090122bc97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15tgytutrcTrojan
2352d43618b1d9f660d446163c050eccfb6ee0e829659d4746bdfba803ecabbe75707e9b88ec52b27743056ef6182bc58d639f477f9aab645722f8707300231fd13a4aa51ftgytutrc7290.zipTrojan
2416bcc3b7f32c41e7c7222bf37fe39fe6a25bc5442c86bdeb0dec6583f0e80e241745fb73eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0yxugwjudTrojan
25e8c7c902bcb2191630e10a80ddf9d5dee00ec019409a078e9819e09d0f3915cb41fc131ff3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192worker32Trojan

Emails

Log Source Requirements

Sysmon/Windows Server/Integrity Scanner

  • It detects malicious file installation and malware-infected hosts.

Mail Server

  • It detects any emails sent to the malicious address.

Screenshots

LockerGoga Malware Infections LogPoint dashboardLockerGoga Ransomware Installation LogPoint dashboardLockerGoga Email Communication Details LogPoint dashboardLockerGoga Malware Emails Sent to Attacker LogPoint alertLockerGoga Malware Affected Host LogPoint alert

For more information, contact LogPoint.