{
	"id": "1c5b21e4-d6ff-416e-bd8a-0c472e8f0c3b",
	"created_at": "2026-04-06T00:15:44.410579Z",
	"updated_at": "2026-04-10T03:20:31.923897Z",
	"deleted_at": null,
	"sha1_hash": "e619a73a2f7b213bf62763287f21d9a31b0ad865",
	"title": "How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3640633,
	"plain_text": "How Lockergoga took down Hydro — ransomware used in\r\ntargeted attacks aimed at big business\r\nBy Kevin Beaumont\r\nPublished: 2019-04-18 · Archived: 2026-04-05 13:04:03 UTC\r\nThis week Norsk Hydro, a large multinational manufacturer with 35,000 staff and over 100 years of history, had\r\nthe nightmare scenario of a worldwide apparent ransom attempt — their systems began to malfunction, and\r\nattackers had placed the following ransom note on their business and some production systems across the world:\r\nPress enter or click to view image in full size\r\nThe ransom note.\r\nEach impacted system had four key elements:\r\nThey all ran Microsoft Windows.\r\nFiles, including some system files, had been encrypted.\r\nThe network interface on every system had been disabled.\r\nThe local user accounts on every system had their password changed.\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 1 of 13\n\nFrom what I can gather, they have an existing security team and controls, and one of the things you haven’t seen\r\nthis time is people online highlighting a ton of obvious security flaws with their systems (see also, Equifax etc) —\r\nso what happened?\r\n“Essentially, there are cascading failures in the technology and security industry to protect customers.”\r\nThe event\r\nThe timeline is known as so:\r\nHydro’s CIO believes attackers gained access around “2–3 weeks” before the attack.\r\nAround midnight (UTC) on Tuesday 19th March, security events were detected in Americas locations of\r\nHydro.\r\nIn the early hours of the morning, the attack began.\r\nBy 5am (UTC) Hydro had opted to disconnect their worldwide network (WAN).\r\nOver a month later, the company is still attempting to recover from the attack, and most of its 160\r\nmanufacturing locations are still operating in manual (non-IT driven) operations.\r\nWhy Norsk Hydro ASA as a target?\r\nI do not know, nor care to speculate. I can say for sure they were specifically targeted, as each LockerGoga\r\npayload contains a unique four digital reference number and information unique to the target.\r\nAs business began on Tuesday 19th March 2019, Hydro had no website, no network and no self managed IT. This\r\nis an incredibly difficult situation for a manufacturing company.\r\nThe CEO had started the job the day before.\r\nHydro posted notices at their 40 offices and manufacturing facilities across the world asking staff to disconnect\r\ntheir devices from local networks, and the recovery effort began.\r\nThey informed stock markets they were moving to ‘manual production’, which means they would operate\r\nfactories without modern IT.\r\nEach local factory manager was tasked with maintaining customer orders — for example, some operated from\r\npre-printed list of orders.\r\nFor communication, Norsk Hydro ASA uses Office365, which was completely unimpacted —so staff could still\r\ncommunicate with each other, the press and customers using mobile phones and tables. Had Hydro not already\r\nmoved communications to a managed cloud service, the situation would have been more grave.\r\nFor communication with the outside world they used their Facebook account, and redirected hydro.com to an\r\nAzure temporary website:\r\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 2 of 13\n\nThis website has since been moved to behind Cloudflare, a managed DDoS protection provider.\r\nIncident representation\r\nHydro started the best incident representation response plan I’ve ever seen — they had a temporary website up,\r\nthey told the press, they told their staff, they apparently didn’t hide any details — they even had daily webcasts\r\nwith the most senior staff talking through what was happening, and answering questions. On the 2nd day they\r\neven took questions from webcast watchers.\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 3 of 13\n\nIn contrast to some other incidents, their stock price actually went up — despite a difficult trading period for past\r\n2 years involving some major business setbacks, they have actually gained in value.\r\nIncident response\r\nHydro’s website says they have flown in staff from Microsoft and unnamed companies to help them recover. They\r\nhave also engaged with national cybercrime bodies, industry groups and police authorities. The incident is now a\r\npolice investigation.\r\nTheir CFO says they have backups of data which they are attempting to restore, and they have not paid a ransom.\r\nThey say it is unknown how long recovery will take, although in an interview with a Norwegian news\r\norganisation the CIO says full recovery will take months.\r\nHydro have provided videos about their recovery efforts:\r\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 4 of 13\n\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 5 of 13\n\nWhat went wrong?\r\nSecurity controls and industry\r\nSeveral weeks ago, I highlighted on Twitter that despite a high profile attack on Altran in January (34,000 staff\r\nmembers) using LockerGoga, a vast majority of endpoint security anti-malware products were failing to detect it. I\r\nhighlighted this because @malwrhunterteam on Twitter sent me a message saying ‘look at this and the poor\r\ndetection’:\r\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 6 of 13\n\nAs you can see above the detection rate was 0 out of 67 anti-virus engines. Now, before vendors get annoyed, I am\r\nwell aware that VirusTotal results don’t tell the full story — however having zero detection from any engine is an\r\nextremely bad sign. I actually detonated the ransomware myself on several real world endpoints (in isolated\r\nfashion — as you’ll learn later it doesn’t self replicate too) and I couldn’t find an endpoint security tool which\r\nactually triggered a detection (although Cisco’s ThreatGrid sandbox technology did classify it as Generic\r\nRansomware).\r\nI used that Twitter thread to pressure several anti-malware producers into action, DMing staff I knew at said\r\ncompanies to get them to take a look.\r\nI found a few more samples in VirusTotal, clearly still in development — those, too, had little to no detection. I\r\nsent them on informally.\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 7 of 13\n\nAfter the Altran attack, which downed systems at a 34,000 employee company, only a handful of dialogue\r\nhappened in the industry — I can only find one news article which actually mentions LockerGoga, for example,\r\nand little to no technical detail.\r\nAs far as I’m aware there is not any centralised way to contact everybody in antivirus industry on international\r\ninterest, so I completely forgot about it a few people in, and went to watch Captain Marvel instead.\r\nEssentially, Norsk Hydro’s anti-malware solution did not have detection for the threat because not all the industry\r\nplayers were paying attention to a cartoon porg on Twitter (me) and a random person who I think doesn’t work in\r\nthe industry (MalwareHunterTeam).\r\nI’m not saying that’s how the industry should work, by the way, and I know it sounds self aggrandising — but I’m\r\ntrying to make the point that maybe, as an industry, we’re really good at hyping threats in the media which are not\r\npractical in the real world and not great at looking at all the real world, actual attack data.\r\nWhile we may be sharing Indicators of Compromise — IoCs — a long list of meaningless hashes aren’t enough to\r\nprotect people. The cyber security industry and partners missed a trick here, as we knew a major company had\r\nbeen attacked in a meaningful way, but it wasn’t followed up.\r\nAdditionally, the digital certificate being used to sign the ransomware was used to sign other malicious code — in\r\nfact it had only been used to sign malicious code — and had been issued to a company with £1 of assets which\r\nwasn’t even a trading company. Upon being informed of this, the Certificate Authority failed to revoke the\r\ncertificate in a timely manner — a continuing issue with the same Certificate Authority, which is trusted by all\r\nWindows certificate stores. To compound the issue even when revoked a vast majority of security tools fail to do\r\nanything, as they do not retrieve the CRL and check the serial number for revocation. All security and technology\r\nshould immediately block or flag code signed with specifically distrusted certificates. Essentially, there are\r\ncascading failures in the technology and security industry to protect customers.\r\nAnother element — some LockerGoga deployments stop endpoint security products (and backup products) before\r\nfurther deployment:\r\nLateral movement\r\nLockerGoga does not have any code to self spread, meaning it can not self replicate around a network — unlike\r\nother destructive code such as WannaCry and NotPetya.\r\nThis may actually be intentional — because it doesn’t use C2 (‘Command and Control’) servers and DNS traffic it\r\nmeans it is less likely to picked up by network detection and endpoint classification tools, too.\r\nGet Kevin Beaumont’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 8 of 13\n\nSo how did they plant LockerGoga? I speculated above it was probably using Active Directory — something like\r\nscheduled tasks or services. The initial assessment from NorCERT appears to back this up, although the\r\ninvestigation is still ongoing:\r\nIn order to pull that off you need remote access — it is not known how the attackers got access to Norsk Hydro’s\r\nnetwork at this stage. I would actually call upon Hydro to do something very unusual (so far) in incident response\r\nand open source release some of the information in this area later, as I strongly believe it can help protect every\r\ncompany — including their customers.\r\nOnce inside their network, they must have had Domain Administrator rights to execute the attack. Usually in\r\ncompanies it is extremely easy to get this access, despite the industry hard selling a range of privileged access\r\nmanagement tools, by simply:\r\nfishing logins out of memory using Mimikatz\r\ntaking passwords from Active Directory Group Policy Preferences — they’re often right there in the XML\r\nfiles. It’s the go to, bread and butter of ‘Red Teams’.\r\nPass The Hash attacks and surf around the entire network using the same local administrator passwords\r\nbecause almost nobody deploys Microsoft Local Administrator Password Solution.\r\nHowever it happened, they got to domain administrator. Like I say, normally this isn’t problematic as almost all\r\ncompanies make the same simple Active Directory configuration errors and fail to prioritise remediation.\r\nGot root?\r\nOnce you’re an Active Directory administrator, if you are an attacker you can place the executable somewhere\r\nwhere every system in an organisation can reach — normally, organisations universally firewall accept Active\r\nDirectory traffic internally.\r\nBingo, you have the keys to the kingdom — the only thing stopping you now is security controls around endpoint\r\nmalware, and as we already established those won’t detect LockerGoga at the time of the attack.\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 9 of 13\n\nSo you can place it on a Domain Controller in the NETLOGON share under Sysvol, which is replicated to every\r\nsite with a Domain Controller. Then you can use Group Policy such as scheduled task creation or service creation\r\nto automatically start the LockerGoga executable.\r\nImmediately, every single laptop, desktop and server connected to Active Directory will trigger the malicious\r\nsoftware.\r\nAnother way to do it is, of course, psexec * – psexec handily supports wildcards.\r\nMany people will talk about ‘air gapping’ Industrial Control Systems (ICS), however many organisations —\r\nalmost every organisation I’ve met, in fact — ends up connecting some elements to Active Directory for benefits\r\nsuch as easy licensing, centralised account control etc. This leads to a situation where production systems — I’m\r\nnot talking the technologist use of production, I mean the manufacturing industry term of systems which do\r\nsomething critical on the coalface — are linked to a central system which can be misused.\r\nI should be clear here that I’m not saying ICS systems shouldn’t be joined to Active Directory because risk\r\nassessment wise unless you’re an extremely high profile target the benefits may outweight the risks. I am saying\r\nthey should probably be joined to an entirely separate Active Directory forest, and administrator access should be\r\nincredibly tightly controlled.\r\nThe impact\r\nLeft adrift\r\nLockerGoga does a few things, some unique:\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 10 of 13\n\nIt ends up using every CPU core and thread during encryption and is very, very fast. This is because it\r\nspawns hundreds of executables for encryption. On an average system within a few minutes, it is toast.\r\nAdditionally, some technical blogs on LockerGoga mention a list of file types that are encrypted which\r\nonly includes things like Office files — I can say first hand that it also encrypts system files such as DLL\r\nfiles across the C: drive. Since it is deployed as administrator level using Active Directory, it has full\r\ncontrol of all files.\r\nIt depends on the version being run (on VirusTotal you can see different LockerGoga executables with\r\ndifferent features) but newer versions use netsh.exe to disable all network cards after encryption is done.\r\nIt then changes every local administrator account password.\r\nIt then logs you off, using logoff.exe.\r\nRecovery\r\nOn laptops and desktops, what you’re left with with is the ability to log back in using domain user accounts (it\r\ncan’t impact Active Directory accounts) on a cached basis, but your users are off the network, as an administrator\r\nyou cannot reach the PC remotely to fix it, and all the user can do is read the ransom note. They cannot use email,\r\nthey cannot read a broadcast from the company on their PC, they cannot work likely as their files are encrypted.\r\nYou cannot log in at the physical console to recover the system as you do not know the local administrator details\r\nany more.\r\nOn servers you have service issues, as changing the local administrator passwords can impact system services\r\nusing local accounts (such as Microsoft SQL, Sophos etc).\r\nLearning opportunities\r\nHere’s the top ten things I think we can take away from this:\r\nGovernments and industry\r\nThere is a serious lack of open information sharing after ransomware incidents which involve unusual code. Right\r\nnow we’re super protected against, say, WannaCry — but after Altran, a lack of transparency and openness lead to\r\nthe same issue elsewhere.\r\nThis will happen again with other threats. In my opinion it is in national and international interests for\r\ngovernments to be informed of technical details of all major business incidents around malicious code causing\r\noutages (e.g. wipers, ransomware) and that information should be shared with security vendors and other\r\ngovernments. I know many organisations won’t want to provide this information so governments or regulators\r\nmight need levers to pull to compel disclosure.\r\nCompanies\r\nOrganisations should look at how Hydro disclosed and dealt with the issue so far in the public arena. It looks like\r\nit may be a textbook example of how incident response should be done, with transparency and openness. Not only\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 11 of 13\n\nthe public and media perception went well, but the business end went well too — people didn’t sell off shares\r\nbecause they felt genuinely informed and that Hydro had a dire situation under control.\r\nSecurity industry\r\nI feel the industry could do a better job at advising what benefits and weak spots of their products have in terms of\r\ndetection, so customers can make informed choices about where they may need to introduce additional controls\r\nand investment.\r\nI know, I’m naive.\r\nThe cyber security industry is currently going through a hype cycle where some vendors are simply overselling\r\ntheir products — including internally — so you can end up with customers like Hydro which likely had a\r\nreasonable security stack, but got wiped out anyway. Hydro aren’t alone here in their journey.\r\nI’ve seen vendors talking about Artificial Intelligence made malware — where AI creates the malware itself —\r\nwhich isn’t even a real thing. The reality here is we had an in the wild, classic ransomware attack around for\r\nmonths and there wasn’t anywhere approaching good detection. Stop talking about blockchain and start detecting.\r\nDetection inside organisations\r\nYour Security Incident Event Management (SIEM) tool should have alerts to detect excessive addition of\r\nnew scheduled tasks and/or services. This is not a default alert I’ve seen in any vendor, and I don’t think\r\nit’s a CIS control either. I might write this up one day.\r\nIf you don’t have a SIEM tool, deploy Azure Sentinel. It’s currently free, no infrastructure, Microsoft\r\nmanaged, and comes with a bucket load of free use cases (it ships with over a thousand detections) out the\r\nbox. You can onboard your entire organisation faster than you can set up a Splunk Heavy Forwarder.\r\nDetect things like Mimikatz and Pass The Hash attacks. Azure Sentinel does this out the box, no config. If\r\nyou get your alerts configured right and without false positives (it’s possible) then jump on them as soon as\r\nthey go off. Priority -3493289. Make it monitored 24/7 and on call.\r\nDetect excessive usage of netsh.exe and logoff.exe.\r\nDetect local administrator password changes, particularly on servers.\r\nDetect your endpoint security solutions being stopped and/or disabled.\r\nEnable ‘tamper protection’ in your security products — e.g. in Sophos Endpoint with Sophos Enterprise\r\nConsole you need to manually enable Enhanced Tamper Protection, otherwise attackers can easily just stop\r\nSophos.\r\nMake sure endpoint security products are universally deployed (e.g. via enforced Group Policy\r\ndeployment), do not allow IT staff to disable them, and do not allow policies to be weakened outside\r\nchange management (e.g. too broad whitelists).\r\nBackup everything.\r\nHave read only backups, too, if you use disk-to-disk.\r\nHave a very heavily defended backup infrastructure. Only the people who must have access to a backup\r\nserver should have access. Take Domain Admins out the Local Administrator group; make it truly secure.\r\nKeep an eye on infections of Trickbot and Emotet via Office macros.\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 12 of 13\n\nKeep an eye on infections of Empire Powershell and Cobalt Strike on endpoints and servers.\r\nUse a service like Shodan Monitor to monitor your external IP ranges for open RDP servers and other\r\nmisconfigurations.\r\nDo not pay the ransom.\r\nDo not pay the ransom.\r\nDo not pay the ransom.\r\n~g\r\nSource: https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f588\r\n0\r\nhttps://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"
	],
	"report_names": [
		"how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880"
	],
	"threat_actors": [],
	"ts_created_at": 1775434544,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e619a73a2f7b213bf62763287f21d9a31b0ad865.pdf",
		"text": "https://archive.orkl.eu/e619a73a2f7b213bf62763287f21d9a31b0ad865.txt",
		"img": "https://archive.orkl.eu/e619a73a2f7b213bf62763287f21d9a31b0ad865.jpg"
	}
}