cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

LockerGoga from Norsk Hydro Analysis

#Edited# , a recording of the Threat Gazette Live session on the Norsk Hydro Cyber Attack and SandBlast Agent prevention for it is now available.

The ongoing Cyber Attack on Norsk Hydro is changing fronts, adding fraud attempts that are trying to leverage the still not fully operational enterprise, still suffering from a cyber attack that started on March 19th . For more details you can join @Marcel_Afrahim and myself for the Threat Gazette Live on April 1st, scroll down for details.

The following initial analysis by @Marcel_Afrahim shows LockerGoga is using multi process operation, where each process encrypts a few files. This is done to bypass detection and work in parallel together with having a separate decryption key for every bunch, supposedly to make it harder to break.

You can deep dive and analyze the malware yourself using its online SandBlast Agent forensic report.

Here is a view to the multi process using SandBlast Agent forensic report:

100's processes.PNG

The main process doesn't try to move laterally, suggesting an initial dropper insert it. On execution it enumerates the files and executes a child process to encrypt each bunch. After that he will cut the computer communication.

Join Threat Gazette Live on April 1st to hear more, click a link for your preferred webinar time:

Click to Register for the 8 a.m. GMT for EMEA and APAC

Click to Register for the 11 a.m. EST for Americas

 

Thanks,

Gadi