Ransomware causes operation meltdown at Norsk Hydro

A corporate-sized ransomware infection has hit Norsk Hydro, a global aluminum producer, causing an operation meltdown, crippling company infrastructure, and leading to paper notes being taped on company doors that people should not connect their devices to the company. The infection has been attributed by some industry sources to LockerGoga, a relatively new strain of ransomware that had a valid certificate – but was derided by some analysts as slow and easy to detect.

There will be more issues

The company is continuing to sort out how big the ransomware’s impact will be on their operations. Operations around the globe have been isolated and switched to manual controls. As of Wednesday, 20 March, the company reported on Facebook that the biggest impact was on their extruded product lines and cited “production challenges.” As publicly traded company, Norsk Hydro does have a responsibility to report on issues impacting production, sales, and profitability. The attack led to an immediate drop in the company’s share price but the price has since largely recovered from the meltdown.

Recovery favors the prepared

Company management in Oslo, Norway have described the situation as severe. However, CFO Eivind Kallevik has said that good backup solutions and routines were already in place before the infection took place. Their strategy is to rely on these processes to restore all operations and not pay the ransom.

How did LockerGoga get in there?

In an earlier LockerGoga attack on the French Altran Technologies, it is believed that the ransomware was distributed via a spear-phishing attack – with an employee being the weak link in the company defenses. On the technical side, LockerGoga did have a valid certificate – which would help it avoid suspicion – and a low detection rate on VirusTotal. Both Altran and Norsk Hydo have been quiet over the malware distribution theories.

Made in the EU

Early conjecture has LockerGoga pinned as malware made within the EU – not a nasty nation-state sponsored production such as Petya or Stuxnet. That would likely prevent Norske Hydro from claiming the attack was an act of war. The ransom note sent to victims  indicates their target is the corporate market and also offers to decrypt several files as a quality test ahead of a larger ransom payment. Tests by Bleeping Computer found that the ransomware was very slow – but in the case of Norsk Hydro – still functional enough.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.