Ransomware strain LockerGoga has struck two U.S.-based companies in recent days. On March 22, Hexion, a provider of thermoset resins, and Momentive, a provider of silicones and advanced materials, both announced they were the victims of a ransomware attack, which experts believe is the LockerGoga strain.
If that name rings a bell, it’s because LockerGoga made headlines on March 19 when it attacked Norsk Hydro, an aluminum producer based in Norway. This strain of ransomware, which is relatively new to the cyber scene, encrypts computer files and demands payment to unlock them.
On the day of the attack, some of Momentive’s Windows computers were hit with a blue screen error and had their files encrypted, according to Motherboard, which broke the initial Norsk Hydro story. In an email obtained by Motherboard, Momentive CEO Jack Boss said the company had to purchase hundreds of new computers as a result of the attack.
In statements confirming the attacks, both companies, which are controlled by the same investment fund, said they have implemented recovery plans and hope to return to normal business functions soon.
Hexion said that once it discovered the attack it took “aggressive steps to isolate the issue by disabling certain systems and notifying the appropriate government authorities.” Additionally, it said that the ransomware attack primarily impacted the company’s corporate functions. “Hexion currently does not believe that any customer, supplier or employee data was impacted as a result of this incident,” the press release noted.
Momentive said it was working with outside cybersecurity experts as part of its recovery efforts. The company also said the attack primarily impacted its corporate functions and that it has “has found no evidence that any customer, supplier or employee information was accessed or exfiltrated during this incident, or that any customer or supplier systems or data outside the company’s network have been impacted.”
Neither Hexion nor Momentive have indicated whether they plan to pay the ransom, though their actions since the attack, including purchasing new computers and creating new email domains, indicate that they do not intend to pay the hackers to regain access to encrypted files.