How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
Botnet LockerGoga
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target Norsk Hydro, Altran
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2019 / 2019/03/21
Editor/Conference
Link https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880 (Archive copy)
Author Kevin Beaumont
Type Blogpost

Abstract

While we may be sharing Indicators of Compromise — IoCs — a long list of meaningless hashes aren’t enough to protect people. The cyber security industry and partners missed a trick here, as we knew a major company had been attacked in a meaningful way, but it wasn’t followed up.

Additionally, the digital certificate being used to sign the ransomware was used to sign other malicious code — in fact it had only been used to sign malicious code — and had been issued to a company with £1 of assets which wasn’t even a trading company. Upon being informed of this, the Certificate Authority failed to revoke the certificate in a timely manner — a continuing issue with the same Certificate Authority, which is trusted by all Windows certificate stores. To compound the issue even when revoked a vast majority of security tools fail to do anything, as they do not retrieve the CRL and check the serial number for revocation. All security and technology should immediately block or flag code signed with specifically distrusted certificates. Essentially, there are cascading failures in the technology and security industry to protect customers.

Bibtex

 @misc{Beaumont2019BFR5363,
   editor = {},
   author = {Kevin Beaumont},
   title = {How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business},
   date = {21},
   month = Mar,
   year = {2019},
   howpublished = {\url{https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}},
 }