Mysterious LockerGoga Attacks on US Industry

Delaware, USA – March 25, 2019 – It became known about two victims of the LockerGoga ransomware that caused a great stir last week. According to Motherboard, this month, in addition to Norsk Hydro, two American chemical companies became victims of large-scale cyber attacks: Hexion and Momentive. The incidents occurred on March 12, but the companies did not disclose details, and only after the attack on aluminum manufacturing giant security experts managed to determine the malware used in these attacks. Both companies continue to recover after the local ransomware apocalypse; to date, they have already restored websites. On Friday, Hexion published a press release on the state of affairs after the attack, while Momentive has not yet commented on the incident. Last week, Cisco Talos published LockerGoga ransomware analysis, where they suggested that the threat actors behind the attacks could use malware to wipe traces of the cyber espionage activity, as it was during the NotPetya outbreak. LockerGoga doesn’t have worm-like capabilities, but its operators are skilled cybercriminals attacking the entire organization’s network.

The first attack was carried out against the Altran company in Europe, but the following three known attacks were targeted at the industrial companies in the United States. Thanks to the available information about the attack on Norsk Hydro, it is known that the attackers penetrate the company’s network, then gained access to the central Active Directory server and sent ransomware to all systems on the network at the same time. Regardless of the goals of the attackers, the recent attacks caused significant financial and reputational losses to companies. It is recommended to tighten control over remote connections and Active Directory servers. You can use VPN Security Monitor to detect suspicious connections to your network:
You can also use the Windows Security Monitor rule pack to perform statistical analysis and profiling of Active Directory basic security events: