LockerGoga in Manufacturing OT:

The Digital Immunity Kill Chain

July 31, 2019 | Tristan Lawson, Senior Solutions Architect

A good 6 months after its first appearance and numerous victims in its path including Hexion and Momentive, LockerGoga continues to be one of the top concerns and major disruptors of manufacturing operations that depend on Operational Technology.

Just last month, LockerGoga was used to grind to a halt all the world-wide operations (both IT and OT) of the Norwegian aluminum manufacturing company Norsk Hydro – with an estimated financial impact of over $35M.

Numerous researchers in the field collectively agree this is a very advanced type of threat that requires way more than the conventional countermeasures to stop its deadly path. Threat Researchers at Digital Immunity have surgically and forensically analyzed LockerGoga in its multiple variants to determine with accuracy how LockerGoga could be weaponized in an OT based environment. The outcome was that the common factor, modus-operandi, across all the LockerGoga attacks was the successful execution of foreign code which subsequently enabled attackers to launch LockerGoga. Preventing the execution of the said foreign code effectively prevents LockerGoga from being weaponized.

While many solutions claim foreign code detection, this in most cases happens after execution; only advanced OT cyber security solutions like Digital Immunity’s DI PROTECT™ can reliably and repeatedly detect the attempted execution of foreign code at run-time and stop execution preventing advanced threats like LockerGoga.

Let’s have a more detailed look at how LockerGoga gets in your OT environment and what you can do to protect your critical OT devices and infrastructure.

LockerGoga Ransomware

The LockerGoga threat was first observed January 24th, 2019. Since that date it has been spreading chaos through the industrial control system world as it launched and made numerous victims in its path. LockerGoga caused massive business disruption and, with the low likelihood of decryption and the ineffectiveness of mainstream cyber defenses, companies seem to only be able to react and recover to minimize the damage, using backups and Disaster Recovery (DR) mechanisms (if at all in place) – rather than prevent the attack.

The attackers behind LockerGoga are smart. They even managed to include a legitimate certificate signed by Comodo enabling it to more easily slip under the radar of mainstream application whitelisting solutions, allowing the attacks to happen within environments where signed code is required.


Who and What Is at Risk? 

LockerGoga has been used primarily in industrial controlled environments but can be used anywhere against anyone. LockerGoga attacks seem to happen mostly on specific Windows platforms – primarily Windows XP SP3 through Windows Server 2019 and Windows 10 build 1809.

When LockerGoga is executed with no switches, LockerGoga will only encrypt files with extensions of DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF.

Based on the events to date, it was noticed that when executing LockerGoga with a switch of “-w”, all file types are encrypted – which is the most common occurrence in industrial control environments. The intent of attackers launching LockerGoga is constantly focused on causing maximum damage to the targeted environment by encrypting critical file types other than just Office Document files – intentionally aiming at crippling daily operations irrelevant of the business tools in use. This makes LockerGoga a versatile attack weapon that can be used to attack most manufacturing industries as well as other sectors.


Technical Brief

The findings by Digital Immunity Threat Labs show that LockerGoga does not have the functions and capability to spread laterally to infect other machines on a network – it needs a ‘transport’ mechanism to compromise a target and spread. LockerGoga is a destructive tool which an attacker executes and spreads post compromise of a computer system and network.  One such mechanism to spread LockerGoga is PsExec. This is a system administration tool which forms part of the Windows Sysinternals Suite. It allows users to execute processes on other systems, complete with full interactivity for console applications, without the need to install client software on the target (same way Telnet works). As a result, attackers leverage PsExec to remotely execute ransomware – including LockerGoga amongst others.

The nature of how LockerGoga has been spread in previous ransomware attacks using tools such as PsExec emphasizes that systems had to be compromised beforehand to gain the ability to deploy and use PsExec and subsequently weaponize LockerGoga. These attackers all go through what is called the cyber kill chain (the structured sequence of stages of a cyber attack) to enable them to conduct phishing attacks, run exploitations, and execute malware in order to compromise a machine.


How Does It Work?

LockerGoga is unique when it comes to ransomware; it does not just encrypt files on the system on which it is executed but also changes the passwords for all the users on the system, ultimately locking out all legitimate users. Subsequently, LockerGoga encrypts all files and once completed, it makes changes to the firewall to disable network access to the system and disabling the network card itself.

LockerGoga also employs some interesting tactics to avoid Heuristics detection by both traditional Antivirus and Next Generation Antivirus – including AI driven mechanisms. One such trick is the use of mainstream components like CryptoPP and Boost library to encrypt files. It is also typical of ransomware to use the Windows Crypto API to encrypt files on a system and the use of a built-in library to handle the encryption function that enables LockerGoga to bypass traditional Antivirus and Next Generation Antivirus.

Where DI PROTECT™ Intercepts

By using DI PROTECT™ to protect the OT infrastructure, the attack flow through the cyber kill chain is disrupted, thus preventing the attack from happening. Not only would DI PROTECT™ block LockerGoga from running, but it would actually prevent any attacker from compromising the system – thus blocking them in real-time from running any other ransomware exploits before the damage is done.

No matter the technique LockerGoga employs to avoid Heuristics, signatures or sandboxing based defenses, it cannot avoid detection by DI PROTECT™. The advanced prevention defenses of DI PROTECT™ are designed to detect all foreign code upon execution, whether the system is on the network or stand-alone/off the network – thus immunizing devices against advanced type of attacks. Additionally, DI PROTECT™ does not rely on historic patterns to determine threats, therefore it is also effective on zero-day and new attacks in the wild.

DI PROTECT™ intercepts threats at the point where foreign code is executed to be loaded into memory – without interfering with the legitimate code. In the case of LockerGoga, Digital Immunity’s DI PROTECT™ would have prevented the PsExec from running, detecting it as likely foreign code to any environment; this would already have blocked the ability of attackers to launch LockerGoga. Additionally, the granular capabilities of DI PROTECT™ would have also detected and prevented attackers from impersonating and elevating privileges, thus limiting access to sensitive and mission critical system settings like the authentication mechanism.

With DI PROTECT™, invoked Ransomware code is caught at runtime and the execution would be prevented without disruption to the system and its legitimate processes.

What You Should Do NOW

While many would recommend you have adequate backups, ensure your systems are all patched and your configuration settings are hardened, it must be agreed that backups are a reactive, not pro-active, approach. OS hardening requires expertise and may end up being too restrictive, whereas patching operations require extensive (regular) overheads with potential disruptions of productivity – apart from the dependencies on vendors to issue patches on time. Additionally, legacy systems may not be supported by vendors anymore – hence without patch support. Lastly, all these may not be feasible without disruption to productivity (like reboot to apply a patch or setting) in view of the critical functions provided by control software in an OT infrastructure.

Our recommendation is that you assess how advanced OT cyber defenses like DI PROTECT™ help you proactively mitigate the risks that ransomware like LockerGoga, targeted and hacktivism attacks as well as zero-day exploits pose to any organization.

DI PROTECT™ will detect and prevent, in memory, at run-time, the execution of foreign code immunizing your devices against attacks including LockerGoga exploits. The prevention capabilities in DI PROTECT™ are designed to not disrupt legitimate processes, ensuring that operations continue uninterrupted – while attacks are stopped at the root.  DI PROTECT™ also capture’s deep forensics, in context, at the point of attack – thus providing detailed insights keeping you informed on what happened on your OT systems during an attack. DI PROTECT™ also delivers the added benefits of reduced down time, reduced emergency patching and increased uptime and revenue.

Don’t take our word for it – try DI PROTECT™ and let us know what you think.

Want to give Digital Immunity a try?
Click here for more information and to request a software demo.