What We Know About the Norsk Hydro Ransomware Attack

As of today, Norsk Hydro has lost over $40m after a ransomware attack crippled systems and brought production to a halt. As one of the preeminent producers and suppliers of aluminum, a cyberattack on the Norsk Hydro’s network has massive implications for their customers, from delaying timelines for projects in construction to setbacks in aerospace manufacturing the ripple effect of the attack is being felt world-wide.

The ransomware identified in the attack is LockerGoga, and Norsk Hydro is not its first victim. It’s a particularly complicated form of ransomware that has hit other industrial and manufacturing targets in the past year, hinting that this attack was probably specifically targeting Norsk Hydro. Researchers are calling recent strains of LockerGoga “particularly disruptive, shutting down computers entirely, locking out their users, and rendering it difficult for victims to even pay the ransom.”[1] Experts say for Norsk Hydro, LockerGoga may have had the ability to disable the infected computer’s network adapter to disconnect it from the network, change the user and admin passwords on the computer, and log the machine off.1

It is not clear how LockerGoga first breached Norsk Hydro’s systems, but similar attacks have been commonly launched through targeted phishing attacks where directly sending ransomware is most effective. Because this ransomware is known to have stolen digital signatures attached to it we know that detection-based solutions would have been bypassed.

Norsk Hydro is not paying the ransom. With their systems encrypted and signs on their doors warning people not to join their network from mobile devices[1] Norsk Hydro is standing strong against their attackers. At last report they are back to a production rate of 70-80% of normal, but not without a major cost to their organization including a 1.9% dip in their stock price.2

For Norsk Hydro solace now comes with the fact that they have what they are calling a solid “cyber risk insurance policy”. However solid, cyber risk insurance policies have failed to payout on these types of attacks in the past, like the case of NotPetya. While cyber risk insurance policies are great in concept, it is disappointing that they have become necessary. It indicates that our security solutions are still far from secure. We have a lot of work to do as an industry.

It’s time to stop seeing these attacks happen. Security professionals are beginning to demand more out of their cybersecurity solutions, because something clearly isn’t working.If we want to stop breaches, we need to think differently. It is time to stop trusting outside code and move toward a policy of zero-trust. If we continue to selectively allow outside code to enter our endpoints we leave the door open to vulnerabilities that can be exploited. Let’s close the door, together.

[1] Greenberg, Andy. “A Guide to LockerGoga, the Ransomware Crippling Industrial Firms.” Wired. Conde Nast, March 25, 2019.

[2] Adomaitis, Nerijus. “Norsk Hydro’s Initial Loss from Cyber Attack May Exceed $40 Million.” Reuters. Thomson Reuters, March 26, 2019.

Kim Thomson

Manager - Product Marketing