Norsk Hydro hit by ransomware

Norsk Hydro is a Norwegian group that is one of the leaders in the production, refining, manufacturing and recycling of aluminum products. On March 19th, Norsk Hydro’s IT infrastructure suffered a cyber attack that impacted the company’s factories around the world. In order to complete the production orders, the company was forced to isolate each of its sites and switch to manual mode. According to the Norwegian National Security Authority (NNSA), the attack was caused by a ransomware called “LockerGoga”. IT security researcher Kevin Beaumont (@GossiTheDog on Twitter) said the attack could be recognized by:

  • The operating system of the infected machines is Windows
  • Files, including system files, have been encrypted
  • Network interfaces have been disabled on each system
  • The password for local user accounts has been changed

The March 26, 2019 article of the ANSSI (French National Agency for the Security of Information Systems) summarizes the technical operation of the LockerGoga ransomware. It was associated with the attacking group Grim Spider (name assigned by Crowdstrike). The similarities lie in the use of:

  • Two emails in the ransom request
  • Metasploit or Cobalt Strike to deploy a reverse shell
  • The PsExec tool for copying and running the ransomware

LockerGoga, an already known ransomware

It should be noted that Norsk Hydro used the Office 365 cloud solution to manage their email, which allowed employees to keep in touch using phones and tablets. This is the second ransomware campaign that uses LockerGoga. Altran was the first victim of this ransomware earlier this year. Recently, Cisco Talos did a study on this malware.

Unlike previous ransomware campaigns, this one is less sophisticated. For example, encryption is done file by file which is not very effective. The ransom request message does not contain any mention of the requested amount, only an email address to contact the attackers is indicated. Finally, the security team Malware Hunter Team found that the ransomware was not detected by several antiviruses on a sample that dates from early March as illustrated by the results of total viruses.

Norsk Hydro announced, one week after the infection, the potential cost of this attack. The amount is close to $40 million. In the most affected areas of the company, except for the “Building System” part, which is still at a standstill, production has returned to a rate of 70 to 80% and the systems are in a business recovery phase. Complete recovery of all systems is planned for a few weeks or more. The company also decided not to pay the ransom but is able to restore their data using recent backups.

A mastered crisis communication

Regarding the communication around the attack, Norsk Hydro has regularly shared the progress of the situation through several live interviews, messages on social networks, as well as via a temporary website. As a result, Norsk Hydro’s example is interesting in terms of communication following the incident. The company has managed security events internally while being able to reassure shareholders. The communication approach adopted by Norsk Hydro thus proves to be an interesting case study for business victims of cyberattacks. During the month of March, two other American companies in the field of chemistry (Hexion and Momentive) seem to have been victims of this ransomware. However, these companies did not manage the events with the same level of transparency displayed by Norsk Hydro. Thus, we do not know if their activities are back to normal.