Earlier today I noticed the press release that the Norwegian Company Hydro announced in media that they have been affected by a ransomware attack and a targeted attack against their Active Directory. Earlier today Hydro shut down many of their operations and also their website is also currently down.
UPDATE: Here is the latest sample of the virustotal analysis: https://www.virustotal.com/en/file/eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0/analysis/1552049030/ still not detected by all AV vendors.
Source: https://www.digi.no/artikler/hydro-rammet-av-hackerangrep/460737 and https://e24.no/naeringsliv/norsk-hydro/nrk-hackerne-som-har-angrepet-hydro-har-stilt-krav-om-loesepenger/24585304
Apparently they were infected by a ransomware called Lockergoga iwhich surfaced earlier this year, which is the same ransomware that affected another company Altran earlier in January, https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/ which essentially shut down their entire network and operations.
All files that are affected by LockerGoga are encrypted using AES-256 + RSA encryption and all files are changed into .locked extension. Also the ransom note that is distributed as part of the code is similiar to the one used in the Bitpayer Ransomware, but the similiarty to the code is completly different (Source: http://id-ransomware.blogspot.com/2019/01/lockergoga-worker32-ransomware.html)
When Altran was hit earlier this year, the source code was digitally signed by a shell company that the attackers apparently created in the UK to get a valid certificate by a company called MILK Limited, and the certificate was issued by Comodo or the new brand name Sectigo but was later revoked. Still not clear if they hit with the same version or if there is a new sample.
The following list of extensions will get encrypted as part of the code:
.doc, docx, dobc, dot, dotx, pdf, pot, potx, pps, ppsx, ppt, pptx, sldx, wbk, xml, xlbs, xlsx,
Apparently the reason for the Active Directory attack as well was to spread the ransomware across the organization since it apparently does not spread using normal means so that would mean that AC attack was to spread across multiple computers and the infrastructure.
But most AV engines detected the previous version, but the new samle that was upload to virustotal a couple of weeks ago is still not detected by most AV engines. https://www.virustotal.com/en/file/ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f/analysis/1552247181/
You can read more about LockerGoga in the following article: http://id-ransomware.blogspot.com/2019/01/lockergoga-worker32-ransomware.html and here which shows the timeline for the Altran attack and it seems like it was most likely started with an email phising attack. https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/
Detecting any changes:
As some simple steps to detect any uauthorized changes in Active Directory you can run the following scripts to check if there has been changes to Group Policy and or Active Directory.
List of changes made to Admin Accounts
Examine for any unauthorized changes in ADDS Group Policies
Get-gpo -All –domain youraddomain | ft displayname, creationtime, modification*
Also ensure that there are no changes made to the SYSVOL folder such as new files or folders as well, since regardless of changes to GPO the file might be present in the SYSVOL folder which is available from the entire AD domain.
You also have some LockerGago samples here from Alienvault which you can use scan your enviroment as well –> https://otx.alienvault.com/pulse/5c91064110773b02d94457fc
Trend Micro also published some information and tips on how to remove it from your system as well –>