The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Global Aluminum Manufacturer Still Recovering From Ransomware Attack

by Chris Brook on Wednesday March 20, 2019

Contact Us
Free Demo
Chat

Norway's Norsk Hydro, the company ensnared in one of the week's biggest stories – a ransomware attack that crippled its systems – is still in the process of recovering.

The aluminium maker took a step in the right direction on Wednesday when it was able to bring its website back online, a day after the attack, and provide users with an update on the incident.

Until that point the company, which has a global presence but is largely based in Norway, was forced to issue updates on the attack via Facebook.

The company said Wednesday that in addition to its site being back online, its Energy plant and Bauxite and Alumina plants are running normally. Hydro’s primary metal and rolled product production centers are experiencing some challenges as a result of the cyberattack however. The company's Extruded Solutions plants were also experiencing an inability to connect to the production systems following the attack.

Specifically, some plants are experiencing difficulty stemming from an inability to connect to the company's producing systems. In lieu of that connectivity the company said its gone to manual operations at its primary metal plants.

In a press conference on Wednesday the company's Chief Financial Officer Eivind Kallevik lauded the company's quick turnaround.

"I'm pleased to see that we are making progress, and I'm impressed to see how colleagues worldwide are working around the clock with dedication to resolve this demanding situation and ensure safe and sound operations," Kallevik said, "I would also like to complement our external technical partners who have done an important job in supporting our efforts, and also relevant authorities, who handle the issue with the diligence it deserves."

In a disclosure to the Norwegian stock exchange, the company said there was no indication that plants outside of Norway were impacted by the attack. That statement that conflicts a report from Reuters, which earlier that day said that plants in Quatar and Brazil were affected and forced to operate manually.

The company, which called the attack "quite severe" on Tuesday, acknowledged the attack did force some of its plants, where metal is manufactured for cars and construction goods, to stop temporarily. After assessing the damage, the company says it isolated its plants and operations and switched to manual operations and procedures to mitigate further repercussions.

It's believed a relatively unknown strain of ransomware, LockerGoga, is responsible for the attack. NRK, a Norwegian government-owned radio and TV station, reported late Tuesday, citing NorCERT, that the ransomware was deployed by Active Directory. LockerGoga reportedly doesn't require a network connection or a command and control server. A sample of the malware was uploaded to VirusTotal by a user from Norway to very little anti-virus detection on Tuesday morning, perhaps indicating how it managed to

Kallevik declined to say LockerGoga was explicitly behind the attack on Tuesday.

The ransomware was last seen in January, when Altran Technologies, a French engineering consultancy, was purportedly hit by it. Altran, after contracing a third party forensics team, said it didn't appear any of its clients had been affected by the ransomware and that no data was stolen or lost.

News of the attack first broke Tuesday morning after NRK relayed a message from the Norwegian National Centre for Cybersecurity that the company's IT systems were held being hostage.

A sign in the window at the company's headquarters that quickly went viral after the attack urged users not to connect devices to Hydro's network or to turn on any devices that are connected to the network.

The company told reporters at a press conference in Oslo on Tuesday that it intends to restore systems from back-up data and that it has a cyber insurance policy. Kallevik also said the company doesn't have any further details on who the attackers may be or what their ransom demands may be.

The company said at the time it was working to contain and neutralize the attack. It also said - and continues to maintain - that it's too early to know when things will get completely back to normal.

Tags: Ransomware

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.