When Ransomware Becomes A Targeted Attack
When you lose $40 million to a ransom attack, that hurts, when you find out its a new variant that appears to be high touch, you should start to think about your competitors. Norsk Hydro, a Norwegian Aluminum maker, was hit with a LockerGoga ransomware attack on March 18th and they still have not fully recovered.
When I say the LockerGoga ransomware appears high touch, I mean that according to researchers the actors manually copy and encrypt files from computer to computer. How inefficient, especially if all I want is for you to pay the ransom. Another curious thing to note is that the attackers do not send BitCoin information, instead giving the company an email address for communication.
Putting on my former law enforcement hat and thinking like a criminal it appears to me that the objective may be to disrupt operations more than to get paid by the company. For instance, if I am a competitor to Norsk Hydro, and we were both bidding on a contract, I could attack their company, disrupt their ability to deliver and win the bid. If I tarnish their reputation, even for a couple of weeks, that may give me the edge I need to win business. This is of course all speculation but when you take the simple thought that there is a person behind each strand of code being produced, and that person (or group of people) have a purpose and objective and you see that there is uniqueness about the way the code is being used (who actually goes computer by computer to infect a machine), it follows that the threat actor may only want you to be hindered and doesn’t really care about the money.