How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business

(Publication) Google search: [1]

Abstract

“ While we may be sharing Indicators of Compromise — IoCs — a long list of meaningless hashes aren’t enough to protect people. The cyber security industry and partners missed a trick here, as we knew a major company had been attacked in a meaningful way, but it wasn’t followed up.

Additionally, the digital certificate being used to sign the ransomware was used to sign other malicious code — in fact it had only been used to sign malicious code — and had been issued to a company with £1 of assets which wasn’t even a trading company. Upon being informed of this, the Certificate Authority failed to revoke the certificate in a timely manner — a continuing issue with the same Certificate Authority, which is trusted by all Windows certificate stores. To compound the issue even when revoked a vast majority of security tools fail to do anything, as they do not retrieve the CRL and check the serial number for revocation. All security and technology should immediately block or flag code signed with specifically distrusted certificates. Essentially, there are cascading failures in the technology and security industry to protect customers.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2019BFR5363,
   editor = {},
   author = {Kevin Beaumont},
   title = {How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business},
   date = {21},
   month = Mar,
   year = {2019},
   howpublished = {\url{https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}},
 }