LockerGoga ransomware and national security

Recently, a new type of ransomware-based cyber-warfare made global headlines when an attack was executed against Norsk Hydro, a raw materials producer that boasts the 10th largest output of aluminum in the world.

The victim, Norsk Hydro, just happens to employ more people in the United States than any other Norwegian company.  The company has a total of 35,000 employees in 40 countries and has a market cap over 9 billion USD, making it a global force.

The infection, known as LockerGoga, uses a renamed version of the system administration tool PsEXEC to begin running its scripts.  It's still unknown how the malware spreads within a network, although researchers theorize that it spreads by using stolen remote desktop protocol (RDP).  In basic terms, the infection can spread from an infected terminal to any or all others within the same network.

After LockerGoga completes the process of encrypting your files, the affected files will show a ".locked" extension.  LockerGoga targets popular file extensions in a system, including .doc, .dot, and .pot, among others.

LockerGoga can also encrypt any file on a hard drive or network.  LockerGoga can block outside connections by disabling Wi-Fi or Ethernet adaptors.  Some variants of the ransomware, like the one used at Norsk Hydro, log out users and change passwords.

The ransom note reads:

"There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies." It goes on to threaten the victim to "NOT RESET OR SHUTDOWN — files may be damaged. DO NOT RENAME the encrypted files.  DO NOT MOVE the encrypted files.  This may lead to the impossibility of recovery of the certain files."

Finally, the payment demand is made in Bitcoin, with the final price being dependent on "how fast" the victim establishes contact with the hacker.

One thing that seems peculiar about LockerGoga is that although it is at its core ransomware, some variants do not seem to be after monetary gain.  Some versions of the ransomware encrypt the Windows Boot Manager, rendering the infected computer inoperable by not allowing it to boot into the operating system.  This further validates that some variants of LockerGoga aim to disrupt operations on the networks it infects.

The attack on Norsk Hydro immediately halted many of their critical production operations, forcing the company to isolate several plants and send several more into manual mode.  As a byproduct, the company saw its stocks fall by 0.8 percent.  Observers in the cyber-sphere are also alleging that a variant of LockerGoga may have been used to target the French engineering company Altran Technologies in January of this year.

The attack was significant, considering the implications of this type of disruption in the production of raw materials during wartime.  If we found ourselves in a state of total war, not just aluminum, but other materials like steel and iron, which are required for the immediate mobilization of the shipbuilding, aircraft, and munitions industries, could be severely compromised by opponents of the United States that are operating at a military disadvantage.

We have seen a rise in hacking against the U.S. by foreign governments recently.  Back in December, a Reuters report cited criminal hacking charges being prepared against Chinese nationals.  The U.S. government charges that Chinese hackers were involved in a cyber-espionage operation named "Cloudhopper."  At a press conference, FBI director Christopher Wray said at the time, "China's goal, simply put, is to replace the U.S. as the world's leading superpower and they're using illegal methods to get there."

With the recent shakeup at the top of the Department of Homeland Security, close scrutiny should be given to the experience held by Kevin McAleenan, U.S. Customs and Border Protection commissioner, currently acting in Kirstjen Nielsen's former capacity.  Bad actors have proven time and again that the easiest means of disrupting America is via cyber-attack.

If you experience technical problems, please write to