Hydro working hard to recover following ransomware attack

Company says it will not pay ransom to extortionists.
               

Norsk

More details have emerged regarding the cyber attack that has this week severely impacted operations at Norsk Hydro, one of the world’s largest producers of aluminium, and a major producer of hydroelectric power in Norway.

The company has confirmed that it was a victim of a ransomware attack, which saw computer files encrypted and their means of decryption withheld unless the extortionists receive payment in Bitcoin. Effectively, infected organisations are locked out of their data.

Lockergoga locked files

Hydro’s entire global network was taken down by the attack. The company’s US factories were amongst those affected, as well as smelting plants in Norway. However, other facilities - including the firm’s power plants - are functioning normally.

The Norwegian National Security Authority (NSM) has said that the relatively new LockerGoga ransomware was to blame for the incident. Norway’s National Cyber Security Center (NorCERT) is believed to have warned the country’s public agencies about the attack, in an attempt to prevent the further spread of the malware.

Unlike many other families of ransomware, LockerGoga appears to only be being used in a limited fashion, with specific organisations being targeted for attack. And for that reason it doesn’t have its own mechanism of spreading throughout an organisation.

That makes LockerGoga different from other hard-hitting ransomware such as Wannacry or NotPetya, which cared little about the organisations it infected. For LockerGoga to be successfully deployed inside a targeted organisation it needs to already have admin rights.

NorCERT has said that the ransomware attack was combined with an attack against the firm’s Active Directory, which may have been used to spread the LockerGoga ransomware throughout the organisation.

Security expert Kevin Beaumont has tweeted that the attack bears similarities to one which hit French engineering firm Altran Technologies earlier this year.

You can’t help but get the feeling that this was a highly-organised extortion attempt against Hydro.

Lockergoga message

At a news conference, Hydro’s finance director Eivind Kallevik said that the company would not pay the extortionists:

We have good back-up routines. Our main strategy is to reinstall data from the back-up systems.”

As we’ve discussed before, you don’t want to find yourself in the position of having to pay the criminals behind a ransomware attack.

Build your defences and segment your network to reduce the chances of an attack successfully entering your organisation, and ensure that you have a secure, working backups of your critical data so you can get back up and running as soon as possible if an incident does occur.

According to a Reuters report, Hydro is beginning to restart some of its operations today but says “it is still (too) early to estimate the exact operational and financial impact.”

Tags: , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.