Ransomware not Dead
“Let me be clear: the situation for Norsk Hydro through this is quite severe,” Chief Financial Officer Eivind Kallevik said.
Aluminum maker Norsk Hydro was hit by LockerGoga ransomware and has shifted its operations to manual to continue production. LockerGoga encrypts files with certain extensions and then provides a ransom note in a readme file for payments to be made in Bitcoin. Security Boulevard reports that the malware was likely propagated by using Active Directory.
Business Interruption is an expensive impact as we saw from Notpetya and Wannacry attacks last year. Mondelez v. Zurich court case for $100 million in losses shows the long tail of these attacks. Time to containment is critical to get systems up and running and operations restored.
What surprised me was that fact that this attack was so widespread in such a sophisticated company. Back in 2005, I had the opportunity to meet with the Norwegian Cyber "Early Warning" VDI project led by Christophe Birkeland of the NSM NorCERT. It was the first attempt to have all major companies in a country put under an umbrella of cyber protection, led by the government. From the news articles on Norsk Hydro, that effort is still in place. But why didnt it catch LockerGoga?
I read through the Norwegian National Cybersecurity Strategy published in January 2019 and it is an excellent example of how public-private partnerships can leverage resources, build and evolve over time to address a dynamic threat environment. The paper discusses a next generation sensor that will be deployed to include classified signatures and IOCs. The very next section (1.2) states that "they will apply AI/ML to the collected data." The remaining Measures are also quite targeted and would be good input to a DHS program.
This latest ransom attack shows that hackers are not 'spraying and praying' and their code is innovating to avoid detection. The Cylance solution prevented the LockerGoga malware. And last year, Cylance prevented Wannacry and Notpetya in large ICS and Manufacturing environments. The Norwegian NSM approach to analyze data collected from Norwegian companies with AI/ML is important but applying robust software at the point of execution is also needed.