Update about this that came out Friday:
I was wrong that the systems what up and running at the time I posted this thread. As of friday, their systems was still down (exept their website), but they know they can fix it from backup, they just want to do it in a controlled manner to make sure they dont do anything wrong, and also make sure it can be analyzed. So it takes time. Its probably also a lot of machines affected.
(I am probably quoting more than I usually would, but its in Norwegian, and because the news site is basically government owned and dont do adds anyway, it is probably fine, if not, just say it and I can edit)
So far, there seem to be no evidence that the virus has the ability to spread to other networks on its own, as the much-known virus WannaCry could.
The code in the virus had valid security certificates, which may cause the system to let it in. These are now withdrawn. It also does not use network traffic.
The virus should have a function that makes it "sleep" at least 100 times before it starts. It makes it harder to capture for programs that are supposed to detect such viruses.
So basically, no anti virus knew how to detect and stop it yet.
It was not designed to steal information
Rik Ferguson, who is vice president of the security department of Trend Micro, says he does not know about LockerGoga attacks against anyone other than Hydro and Altran.
- We are far from knowing where it comes from. There remains a lot of work, and tracking is always the hardest thing to do, he says.
Ferguson describes the virus as very precise. It requires access to an administrator account, which the hackers may have acquired in several ways. Typical procedures are emails with attachments or links that install the virus if the recipient opens them.
The attack on Hydro is combined with an attack on Active Directory, which is Microsoft's directory service for user and machine administration.
"The attackers know what they are doing. This is well organized extortion, ”Beaumont writes.
He also pointed out that the message from the hackers is very similar to the one that came with the Ryuk virus, although the viruses are different. The people behind this virus, according to Forbes, have been withdrawing $ 4 million in ransom.
The traces of Ryuk will point to Russia and former Soviet states, but one has not been able to identify the hackers.
That doesnt mean it have to be the same people, it can just been someone access to the code of Ryuk that took that and edited it, but who knows.
Some speculated in that the main goal was not to get Hydro to pay, but their stock price to be affected and earn money of it that way, but who knows. Hydro stock wasnt actually affected that much it could have been if Hydro was affected more...
I wish no one ever paid the ransom and had a system that made them not need to, but sadly thats not the case and probably will never become the case.