Norsk Hydro Ransomware Attack by Lockergoga (Mar 2019)

Claim Summary

On March 18, 2019, the Lockergoga ransomware group allegedly claimed responsibility for an attack against Norsk Hydro, a Norwegian manufacturing and aluminum production company. According to the threat actor’s leak site post, the group asserts it has compromised Norsk Hydro’s systems, though no specific data samples or evidence of exfiltration have been provided. The claimed data volume is undisclosed, and no proof-of-compromise files have been published at this time. This incident is purportedly part of a broader campaign targeting industrial and manufacturing entities.

Threat Actor Profile

Lockergoga is a ransomware variant that first emerged in early 2019, with limited public attribution. The group’s known tools and tactics include:

• Delivery Method: Primarily distributed via phishing emails containing malicious attachments or links.
• Encryption: Uses AES-256 encryption to lock files, appending the .lockergoga extension to affected files.
• Ransom Note: Drops a ransom note named _LOCKERGOGA_README_.txt demanding payment in Bitcoin.
• Notable Behavior: Lockergoga has been observed disabling Windows Defender and other security tools to evade detection.

The group’s credibility is low due to its limited track record. As of this report, no public research or YARA rules are available for Lockergoga. The group has not demonstrated a consistent pattern of data exfiltration or publication, which raises questions about the veracity of this claim.

Alleged Data Exposure

Based solely on the threat actor’s claims, the following information is purportedly compromised:

• Data Types: Unspecified. The group has not disclosed what types of files or databases were allegedly accessed.
• Data Volume: Undisclosed. No sample files or screenshots have been provided to substantiate the claim.
• Evidence: No proof-of-compromise has been released, making it impossible to verify the extent of the alleged breach.

It is important to note that ransomware groups often exaggerate or fabricate claims to pressure victims into paying ransoms. Without independent verification, this claim should be treated with skepticism.

Potential Impact

If the Lockergoga claim is verified, Norsk Hydro could face significant operational and reputational consequences:

• Operational Disruption: Manufacturing systems may be encrypted, halting production lines and supply chain operations.
• Financial Loss: Ransom demands, recovery costs, and potential regulatory fines could amount to millions of dollars.
• Data Integrity: If sensitive data was exfiltrated, intellectual property or proprietary manufacturing processes could be exposed.
• Regulatory Scrutiny: As a Norwegian company, Norsk Hydro may be subject to GDPR penalties if personal data is involved.

However, given the lack of evidence and Lockergoga’s limited history, the actual impact may be minimal or nonexistent.

What to Watch For

• Official Statements: Monitor Norsk Hydro’s official channels for any acknowledgment or denial of the incident.
• Leak Site Activity: Track the Lockergoga leak site for any future publication of data samples or ransom notes.
• Industry Alerts: Check for advisories from Norwegian cybersecurity authorities (e.g., NSM) or sector-specific ISACs.
• Detection Guidance: If YARA rules become available, they should be deployed to identify Lockergoga artifacts in network traffic or endpoints.

Disclaimer

This report is based solely on unverified claims made by the Lockergoga ransomware group on their leak site. Yazoul Security has not independently verified the accuracy of these claims. Ransomware groups frequently exaggerate or fabricate incidents to pressure victims. No data samples, download links, or access credentials have been included in this report. Organizations should treat this information as unconfirmed intelligence and await official statements from Norsk Hydro or relevant authorities before taking action.