Hexion and MPM Hit by Lockergoga Ransomware (Mar 2019)

Claim Summary

On March 22, 2019, the ransomware group known as Lockergoga allegedly claimed responsibility for a ransomware attack against Hexion Inc. and MPM Holdings Inc., both US-based manufacturing companies. According to the threat actor’s leak site, the group claims to have successfully compromised the organizations’ networks, though no specific data samples or volume of stolen information has been disclosed. This claim has not been independently verified by Yazoul Security, and the group’s credibility remains low due to its limited track record.

Threat Actor Profile

Lockergoga is a relatively obscure ransomware group with an unknown total number of victims and no publicly available research detailing its tools, tactics, and procedures (TTPs). The group’s name suggests a possible connection to the LockerGoga ransomware variant, which was previously associated with targeted attacks against industrial and manufacturing entities in 2019. However, it is unclear if this group is the original LockerGoga operators or an imitator.

Based on historical patterns of LockerGoga-related incidents, the group allegedly used:

• Spear-phishing emails with malicious attachments to gain initial access.
• Lateral movement via compromised credentials and remote desktop protocol (RDP).
• File encryption with a distinctive .locked extension and a ransom note demanding payment in cryptocurrency.
• Potential use of living-off-the-land binaries (LOLBins) to evade detection.

No YARA rules or specific detection guidance are publicly available for this group. Organizations should monitor for unusual file encryption activity, especially .locked file extensions, and review network logs for unauthorized RDP connections.

Alleged Data Exposure

The Lockergoga group claims to have exfiltrated data from Hexion Inc. and MPM Holdings Inc., but the volume and nature of the alleged data remain undisclosed. No screenshots, file lists, or data samples have been provided to substantiate the claim. This lack of evidence is typical of low-credibility actors who may be exaggerating or fabricating incidents to pressure victims into paying a ransom.

Given the manufacturing industry context, potential data exposure could include:

• Proprietary manufacturing processes or formulas.
• Customer and supplier contracts.
• Employee personally identifiable information (PII).
• Financial records and operational data.

However, without confirmation, these remain speculative.

Potential Impact

If the claim is verified, the impact on Hexion Inc. and MPM Holdings could be significant:

• Operational disruption due to encrypted systems, potentially halting production lines.
• Reputational damage from a public data breach, affecting customer trust.
• Regulatory scrutiny, particularly if employee or customer PII is involved.
• Financial losses from ransom demands, remediation costs, and potential litigation.

The manufacturing sector is a frequent target for ransomware due to its reliance on legacy systems and high operational downtime costs.

What to Watch For

• Monitor for any official statements from Hexion Inc. or MPM Holdings regarding a security incident.
• Watch for leaked data on dark web forums or other leak sites, which would confirm the claim.
• Organizations in the manufacturing sector should review their defenses against LockerGoga-like tactics, including email security, RDP hardening, and endpoint detection.
• If YARA rules become available, apply them to detect potential Lockergoga payloads.

Disclaimer

This report is based on unverified claims made by the Lockergoga ransomware group. Yazoul Security has not independently confirmed the incident, data exposure, or any other details. Ransomware groups routinely exaggerate or fabricate claims to pressure victims. This intelligence is provided for situational awareness only and should not be used as the sole basis for security decisions. No PII, download links, or access credentials are included.