LockerGoga attack on the French Altran Technologies, it is believed that the ransomware was distributed via a spear-phishing attack – with an employee being the weak link in the company defenses. On the technical side, LockerGoga did have a valid certificate – which would help it avoid suspicion – and a low detection rate on VirusTotal. Both Altran and Norsk Hydo have been quiet over the malware distribution theories.
Early conjecture has LockerGoga pinned as malware made within the EU – not a nasty nation-state sponsored production such as Petya or Stuxnet. That would likely prevent Norske Hydro from claiming the attack was an act of war. The ransom note sent to victims indicates their target is the corporate market and also offers to decrypt several files as a quality test ahead of a larger ransom payment. Tests by Bleeping Computer found that the ransomware was very slow – but in the case of Norsk Hydro – still functional enough.