Ransomware forces two chemical companies to order "hundreds of new computers"



[ad_1]

A ransomware attack seems to have affected two American chemical companies, Motherboard learned.

Hexion and Momentive, which make resins, silicones and other materials and are controlled by the same investment fund, were hit by the ransomware on March 12, according to a current employee. An internal email from Motherboard, signed by Momentive CEO Jack Boss, refers to a "global IT outage" that forced companies to deploy "SWAT teams" to manage.

According to the ransom message, the ransomware that hit Hexion and Momentive seems to be LockerGoga, the same ransomware that has forced Norsk Hydro's aluminum manufacturing giant to shut down its global network this week. The motherboard mapped the ransom message badociated with the Momentive attack with KnockerGoga's known attacks, and found that the language and formatting were identical.

On the day of the attack, some of the company's Windows computers were affected by a blue screen error and their encrypted files, said the current employee, who asked to remain anonymous because he was not allowed to speak to the press.

"All [went down]. Still no network connection, email, nothing, "they said Thursday during an online chat.

Boss's email indicated that the data on all the computers affected by the ransomware software was probably lost and that the company had ordered "hundreds of new computers".

1553306733146-image1

A screenshot of the ransom notice displayed on a Momentive laptop. Image: motherboard

On Friday night, Hexion announced in a press release that it was working on resuming normal operations "in response to a recent network security incident".

Boss's email indicates that the ransomware hit the company for the first time last week and explains what the company is doing to recover. Among the measures taken, Boss mentions that the Momentive offers some employees new email accounts because their old ones are still inaccessible. The company notes that it is using a new domain, momentiveco.com, for new email addresses rather than momentive.com.

The motherboard sent an email to an email address known to Momentive, who uses the old domain, momentive.com, but who has rebounded. The error message states that "because of a network event," the mail services are currently unavailable.

The leaked e-mail also indicates that, as more and more people are sending an e-mail to the company receiving the same error message as the one faced by the motherboard, more employees are likely to be contacted by third parties looking for additional information. It then lists an email address and a phone number to give to the media. The motherboard called this number and sent an email to this address, but did not receive a response.

On Friday, the motherboard called Hexion's main phone line. The employee who responded refused to provide information on the attack. When asked if there had been an incident, the employee replied "no comment" and immediately hung up. Motherboard called back and talked to someone else, who did not identify themselves, but said that he could not provide us with any information.

The news of this attack shows that the hackers behind the LockerGoga ransomware may be more active than expected.

Until today, LockerGoga, a relatively new type of malware infecting computers, encrypting their files and demanding ransom, only had two known victims. The first known casualty is Altran, a French engineering consulting firm that was hit at the end of January. Earlier this week, Norwegian aluminum giant Norsk Hydro revealed that it had been hit by a ransomware attack. A Kaspersky Lab spokesperson said he knows more victims around the world.

Hydro did not mention the malware that hit him. But the Norwegian media, citing local authorities in charge of cybersecurity, claimed that it was about LockerGoga. MalwareHunterTeam, a group of independent security researchers, found a sample LockerGoga on the VirusTotal online malware repository, imported from Norway the day Hydro was hit.

MalwareHunterTeam told the motherboard that the ransom notice shared by our source was very similar to the one found in the LockerGoga attacks.

Joe Slowik, security researcher at Dragos, a cybersecurity company that focuses on critical infrastructures and who has studied malware, said LockerGoga did not look good for the purpose: to collect money from victims. In fact, as stated in the ransom note, and unlike other popular ransomwares, victims must send an email to hackers and negotiate a price for decrypting files, making it difficult for criminals to change their earnings.

"It's a very inefficient piece of ransomware," Slowik told the motherboard during a phone call.

It may be an inefficient way to raise money, but it is apparently good enough to slow down multinational companies in both Europe and the United States.

Do you have a tip? You can contact Lorenzo Franceschi-Bicchierai safely on Signal at +1 917 257 1382, on the OTR chat at [email protected] or by email at lorenzo @ motherboard address. TV.

Listen to CYBER , The new weekly podcast of the motherboard on hacking and cybersecurity.

[ad_2]
Source link