LockerGoga, the strain of ransomware that is suspected to be behind the recent Norsk Hydro cyber attack, utilises an unusually disruptive hacking approach that can cause “chaos” for the industrial firms that it targets, according to cyber experts.
Norsk Hydro, a Norway-based aluminium manufacturing, was forced to disable part of its smelting operations and switch to manual operations after unusual activity was detected on its servers on March 19.
The resulting disruption is expected to cost Norsk Hydro between 300-350 Norwegian crowns (USD $35-41 million) for the first week alone, with losses likely to be absorbed by its “solid cyber risk insurance policy,” which includes AIG as the lead insurer.
In the days following the initial attack, U.S-based chemical companies Momentive and Hexion – both of which are owned by public equity firm Apollo Global Management – were also hit by suspected LockerGoga attacks.
Sources at cyber security firm FireEye recently told Wired that they had been dealing with multiple LockerGoga attacks on other industrial and manufacturing targets, which would put the total number of affected companies at five or more.
Experts are particularly concerned about this strain of ransomware because it seemingly aims to maximise disruption, shutting down computers entirely, locking out their users, and rendering it difficult for victims to even pay the ransom.
This contrasts with more common types of ransomware, which typically encrypt some files on a machine but otherwise leaves it running, Earl Carter, a researcher at Cisco’s Talos division, told Wired.
“Everyone is kicked off the system so they can’t even get back to look at the ransom note,” he explained.
“It throws everything into chaos. You’ve just destroyed the operation of the system, so users can’t do anything at all, which is a much more significant impact on the network.”
This is especially problematic for industrial firms, which are targeted by ransomware hackers because they generally have stronger incentives to get operations back online quickly.
Such firms are also often more vulnerable to cyber threats due to their reliance on the Internet of Things and other automation technologies, which means there is a greater risk that hacks can end up physically damaging equipment or endangering staff.
“If you cripple the ability to operate an industrial environment, you’re costing that enterprise significant amounts of money and really applying pressure for every minute that loss of control continues,” Joe Slowik, a researcher at the security firm Dragos, told Wired.
“Unless that system is in a steady state of operation or has good physical fail-safes, you now have a process out of your control and out of view of your own eyes. That makes this extremely irresponsible and very nasty.”
The potential for this additional harm to equipment and staff is also a concern for insurers and reinsurers, who could face additional losses on top of the considerable business interruption costs that are expected to result from events like the Norsk Hydro attack.
Despite the aggressive nature of the attacks, LockerGoga hackers do still appear to be motivated by profit, with some impacted companies paying out six-figure ransoms to have their files returned, reports say.