| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
The incident of the LockerGoga ransomware attack has affected multiple organizations. For example, after an initial infection at the French engineering consulting firm Altran, LockerGoga also hit Norwegian aluminum manufacturer Norsk Hydro, forcing some of the company's aluminum plants to switch to manual operations [81836]. This shows that the same type of software failure incident occurred again within the organization of Norsk Hydro.
(b) The software failure incident having happened again at multiple_organization:
The LockerGoga ransomware attack has impacted multiple organizations. Apart from Norsk Hydro, other manufacturing companies like Hexion and Momentive have also been hit by LockerGoga, with Momentive experiencing a "global IT outage" [81836]. Additionally, security researchers have dealt with multiple LockerGoga attacks on other industrial and manufacturing targets that were not specifically named, indicating that the incident has occurred at multiple organizations [81836]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the case of the LockerGoga ransomware attack on industrial firms like Norsk Hydro, Hexion, and Momentive. The ransomware paralyzed computers across these companies, leading to catastrophic consequences such as global IT outages and forcing some plants to switch to manual operations. The attackers gained initial access to victim networks through various means, possibly including phishing attacks or purchasing credentials from other hackers. They then used common hacking toolkits and techniques to move laterally within the networks and plant their ransomware payload on target machines [81836].
(b) The software failure incident related to the operation phase is evident in how LockerGoga goes beyond typical ransomware attacks by not only encrypting files but also disabling the computer's network adapter, changing user and admin passwords, and logging the machine off. This level of disruption makes it difficult for victims to even see the ransom message, delaying their ability to recover their systems or pay the extortionists and causing greater disruptions to their network operations. The aggressive effects of LockerGoga on industrial firms pose a serious risk, potentially leading to unsafe conditions or industrial accidents if the ransomware infects the computers controlling industrial equipment [81836]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) The software failure incident described in the article is primarily within_system. The ransomware known as LockerGoga is designed to fully paralyze computers within industrial and manufacturing firms by encrypting files, locking out users, disabling network adapters, changing passwords, and logging machines off [81836]. The hackers gain initial access to victim networks through various means such as phishing attacks or purchasing credentials from other hackers. Once inside the network, they use common hacking toolkits to move laterally and exploit vulnerabilities to plant their ransomware payload on target machines. The ransomware then rapidly encrypts the computer's files, making the system inoperable and causing significant disruptions to the affected organizations. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the article was primarily due to non-human actions, specifically the ransomware known as LockerGoga. This ransomware paralyzed computers across industrial firms, leading to catastrophic consequences such as forcing aluminum plants to switch to manual operations and causing global IT outages [81836].
(b) However, human actions also played a role in the software failure incident. The hackers behind LockerGoga gained initial access to victim networks through various means such as phishing attacks or purchasing credentials from other hackers. They used hacking toolkits and exploited vulnerabilities to move through the network and plant their ransomware payload on target machines. Additionally, the hackers disabled antivirus software on target machines before running their encryption code, making it more difficult for victims to defend against the attack [81836]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in the article is primarily due to factors originating in software rather than hardware. The incident involves a new breed of ransomware known as LockerGoga that has paralyzed industrial firms' computers, leading to catastrophic consequences such as forcing aluminum plants to switch to manual operations and causing global IT outages [81836].
(b) The software failure incident is directly related to software factors, specifically the LockerGoga ransomware, which encrypts files, locks out users, disables computers entirely, changes passwords, and disconnects machines from the network. The ransomware's disruptive nature goes beyond typical ransomware attacks, causing significant chaos and disruptions to the victim's network operations [81836]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the article is malicious in nature. It involves a ransomware attack by a new breed of ransomware known as LockerGoga, which targets industrial and manufacturing firms with the intent to extort money by encrypting files and fully paralyzing computers across the company [81836]. The attackers use various techniques to gain initial access to victim networks, move laterally within the network, disable antivirus software, encrypt files, and demand ransom payments in bitcoin. The ransomware also goes further by disabling the computer's network adapter, changing passwords, and logging the machine off, causing significant disruption and chaos within the victim's network [81836].
(b) The software failure incident is not non-malicious. It is a deliberate and targeted attack by threat actors seeking financial gain through extortion. The attackers demonstrate knowledge of the victim's network, use sophisticated hacking tools, and employ tactics to maximize the impact of the ransomware, indicating a malicious intent to harm the systems and disrupt operations [81836]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident:
The software failure incident involving LockerGoga ransomware appears to be driven by poor decisions made by the threat actors behind the attack. The ransomware not only encrypts files but also fully paralyzes computers across industrial firms, causing catastrophic consequences. The attackers deliberately target industrial and manufacturing firms, knowing that these companies are highly incentivized to quickly pay the ransom. The attackers use aggressive tactics such as disabling the network adapter, changing passwords, and logging machines off, making it extremely difficult for victims to even pay the ransom. This deliberate and disruptive approach suggests a malicious intent to cause significant harm and financial loss to the targeted companies [81836]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the case of the LockerGoga ransomware attack on industrial firms. The attackers behind LockerGoga demonstrated a high level of professional competence in their malicious activities. They were able to gain initial access to victim networks, move laterally within the networks using common hacking toolkits, exploit vulnerabilities, and plant ransomware payloads on target machines [81836].
(b) The accidental aspect of the software failure incident is not explicitly mentioned in the articles. The incident primarily revolves around deliberate and targeted actions by the hackers behind the LockerGoga ransomware, rather than accidental factors. |
| Duration |
permanent |
(a) The software failure incident described in the article is more of a permanent nature. The LockerGoga ransomware attack on industrial firms, such as Norsk Hydro, Hexion, and Momentive, resulted in catastrophic consequences, including global IT outages and the need to switch to manual operations [81836]. The ransomware not only encrypted files but also fully paralyzed computers, leading to significant disruptions and potential physical harm to equipment and staff. The attackers used various techniques to gain access to victim networks, plant ransomware payloads, and disable antivirus measures, making recovery and system restoration challenging for the affected companies. The disruptive nature of LockerGoga, which goes beyond typical ransomware attacks, indicates a more permanent impact on the targeted systems and operations. |
| Behaviour |
omission, byzantine, other |
(a) crash: The software failure incident described in the article is related to a ransomware attack known as LockerGoga. This ransomware fully paralyzes computers across industrial firms, forcing some companies to switch to manual operations and causing global IT outages [81836].
(b) omission: The ransomware incident caused by LockerGoga leads to a failure of the system to perform its intended functions, as it locks out users, disables the network adapter, changes passwords, and logs machines off, preventing victims from even seeing the ransom message in some cases [81836].
(c) timing: The ransomware incident does not specifically mention failures related to timing issues.
(d) value: The ransomware incident does not specifically mention failures related to the system performing its intended functions incorrectly.
(e) byzantine: The behavior of the ransomware incident can be considered as byzantine due to the erratic and disruptive actions taken by LockerGoga, such as disabling network adapters, changing passwords, and logging machines off, leading to chaos and significant disruptions in the network [81836].
(f) other: The ransomware incident also showcases a behavior where the attackers plant their ransomware payload on target machines across the victim's systems using stolen certificates to make it look more legitimate. They also disable antivirus software on target machines before running their encryption code, making antivirus measures ineffective against the infections [81836]. |