LockerGoga ransomware severely impacted the Norwegian metals giant, Norsk Hydro, and provides a blueprint for malicious entities to weaponize ransomware variants for disruptive purposes.
Ransomware has lived in various forms as a threat to computer operations for decades, even if it has only risen to prominence in recent years. Throughout the evolution and spread of ransomware, events have shifted from focused targeting, to near indiscriminate wormable propagation, to “big game hunting” of large enterprises through widespread compromise. Underneath these trends, a space has developed where state-sponsored, as opposed to criminal, elements can weaponize ransomware (or ransomware-like) functionality.
Beginning with a clumsy monetization effort by North Korea through WannaCry, ransomware-as-disruptor seemed to establish itself with the NotPetya event taking place only a few months later in 2017. Yet this event, while significantly disruptive and harmful, showed immaturity by being too obviously related to disruptive intentions as opposed to financial gain.
A new version of the LockerGoga ransomware impacted Norsk Hydro later. While superficially similar to other industrial-targeted ransomware events around the same time, the Hydro event incorporated unique disruptive characteristics calling into question whether the attackers ever intended to decrypt systems after infection.
Nevertheless, insufficient data exists to adequately disposition Hydro as a state-sponsored disruption event instead of a financially motivated criminal exercise. Given poor public-private information sharing due to mistrust and similar friction, combined with perverse financial incentives from lawsuits through denied insurance claims, victims have little reason to come forward with necessary data to disposition disruptive events between criminal ransomware and likely state-sponsored disruption. Only by resolving these issues and providing political and financial security to victims will governments be able to muster not only the cooperation, but even the information necessary to identify such threats – let alone combat them.