Exclusive Webinar:

Join us Oct. 6 as Rockwell Automation & Dragos CEOs reshape the way you approach cybersecurity in manufacturing.

Skip to main content

Spyware Stealer Locker Wiper: LockerGoga Revisited

LockerGoga ransomware severely impacted the Norwegian metals giant, Norsk Hydro, and provides a blueprint for malicious entities to weaponize ransomware variants for disruptive purposes.

Ransomware has lived in various forms as a threat to computer operations for decades, even if it has only risen to prominence in recent years. Throughout the evolution and spread of ransomware, events have shifted from focused targeting, to near indiscriminate wormable propagation, to “big game hunting” of large enterprises through widespread compromise. Underneath these trends, a space has developed where state-sponsored, as opposed to criminal, elements can weaponize ransomware (or ransomware-like) functionality.

Beginning with a clumsy monetization effort by North Korea through WannaCry, ransomware-as-disruptor seemed to establish itself with the NotPetya event taking place only a few months later in 2017. Yet this event, while significantly disruptive and harmful, showed immaturity by being too obviously related to disruptive intentions as opposed to financial gain.

A new version of the LockerGoga ransomware impacted Norsk Hydro later. While superficially similar to other industrial-targeted ransomware events around the same time, the Hydro event incorporated unique disruptive characteristics calling into question whether the attackers ever intended to decrypt systems after infection.

Nevertheless, insufficient data exists to adequately disposition Hydro as a state-sponsored disruption event instead of a financially motivated criminal exercise. Given poor public-private information sharing due to mistrust and similar friction, combined with perverse financial incentives from lawsuits  through denied insurance claims, victims have little reason to come forward with necessary data to disposition disruptive events between criminal ransomware and likely state-sponsored disruption. Only by resolving these issues and providing political and financial security to victims will governments be able to muster not only the cooperation, but even the information necessary to identify such threats – let alone combat them.

Enter your information to download the whitepaper.
Discover More Resources Using Keyword Tags
Frontline Perspective Joe Slowik

Discover more resources.

Explore more resources to support you on your ICS cybersecurity journey.

Read our next whitepaper


Threat Intelligence and the Limits of Malware Analysis

Joe Slowik
View Whitepaper
Right Arrow

View more whitepapers

Right Arrow

Ready to put your insights into action?

Take the next steps and contact our team today.