Of all the cyber-security breaches that a business can endure, ransomware attacks are widely regarded as one of the most nefarious and damaging to business. In the worst instances, it can not only leave an entire company unable to function, but open to additional cyber attacks that are potentially devastating. In March 2019, aluminium producer Norsk Hydro experienced one such ransomware attack.
On March 18 and 19, 2019, Norwegian aluminium producer Norsk Hydro discovered that they were the victims of a targeted ransomware attack. Their systems had been invaded by the LockerGoga virus – a relative newcomer to the ransomware industry and, according to reports, one of the most insidious and damaging ransomware viruses to be launched in recent years.
LockerGoga’s modus operandi has proven difficult to pin down. Unlike many other invasive programs, this malware has been specifically targeting large industrial firms, including engineering consultancy firm, Altran in January of 2019, as well as chemical companies Momentive and Hexion, shortly following the Norsk Hydro attack.
It has also been a challenge to understand just how this family of viruses attacks in the first place. Initial investigations seemed to indicate that phishing was responsible for the incursion, but further investigation could not locate any phishing attempts. The malware has been described as “unusually disruptive” and “chaotic”, and preliminary reports seemed to indicate that there could be more to this ransomware than just extorting money.
LockerGoga has experts concerned, because it isn’t acting like a typical ransomware virus. Where many other types of malware will encrypt several files, leaving the device running and able to pay the ransom, LockerGoga’s aim appears to be total shutdown. The virus not only invades and locks users out of the system completely, but makes it nigh impossible to even access the ransom note – blocking the user from being able to pay the ransom.
This, of course, seems counter-intuitive – after all, if the goal of ransomware is to extract money from the victim, why make it impossible for them to pay? Yet, some of the affected victims have successfully managed to pay their ransoms and get their systems restored to them – at massive cost. It remains unclear whether the goal is simply money, or if there are more devastating intentions or ulterior motivations behind these attacks.
Worryingly, the virus’ actions themselves indicate that this was a highly targeted attack. LockerGoga is not self-propagating, which means that someone deliberately and methodically compromised the company’s network and uploaded the software for distribution throughout said network. In addition, the attack took place just one day after the CEO took early retirement, leaving the company to deal with the attack without this level of support.
On the morning of March 19, following the attack that reportedly took place overnight, employees arrived at Norsk Hydro’s various operations and offices to discover printed signs warning them not to connect to the company’s systems. This, however, was just the surface sign that something was drastically wrong.
Throughout the course of that Tuesday, the business was effectively offline.
Fortunately for Norsk Hydro, they were able to manually override their production systems and continue with both alumina and bauxite production. Primary metal and rolled products, among others, however, were not quite as simple to switch over, and global operations in these areas were affected. Had aluminium production been halted by the attack, the effect on the business would have been significantly worse – if aluminium processing ceases during electrolysis, the metal can harden within a relatively short time, causing irreparable damage to equipment.
Even so, despite the continued production of alumina and bauxite, the company was hit hard. The company stated that their first-quarter revenue losses were in the order of US$35-42 million as a result of the attack, and second quarter losses were projected at US$23-29 million. The company assured investors that they were protected against such revenue loss, thanks to robust insurance, but to date, this claim has not been finalized. Once this has occurred, the company will release revised financial details.
The response from Norsk Hydro
Norsk Hydro – in a bold move – refused to pay the ransom that was being demanded and chose instead to rely on their data backups and manual operations while tackling the attack head-on. While the company, for security reasons, has not divulged all the details of the attack or how they combatted it, they have indicated that it took over three weeks for production to return to almost normal.
The company’s response has been widely praised in industry. Despite the lack of a CEO – the new CEO being scheduled to take the reins on May 8 – their public communications and internal handling of the attack were exemplary.
What we can learn
One of the most important lessons that industry should take away from this attack is just how crucial it is to have effective, well-protected backup systems in place. Without these backups, there is a possibility that Norsk Hydro could have been completely crippled, if not driven out of business entirely. Thanks to their up-to-date digital backups, the company was able to restore a level of functionality within days, and achieve full function within a month. Simultaneously, their ability to switch their operations to manual control saved the company from even greater losses than those experienced.
As mentioned above, LockerGoga isn’t self-propagating, and the ransomware would have had to be uploaded by someone with administrator access, or an administrator’s access details. This highlights the importance of robust security for such individuals within a company, including an awareness of password protocols. For example, a recent survey conducted by the UK’s National Cyber Security Centre showed that a whopping 23.2 million Brits were using 123456 as their password, closely followed by 123456789 (7.7 million), with qwerty and password each at around 3 million.
Device protection is also critical. While LockerGoga is quite new and its composition means it is often missed by anti-virus or anti-malware software, it is certainly not the only ransomware around. Also, as security experts get to grips with this new virus, there promises to be better security around it in the near future. That said, over 20% of connected devices currently have zero anti-virus or anti-malware protection, and many of these connect to company networks daily. Ensuring that all devices that can connect to your company’s networks, even for something as simple as connecting to the WiFi, are virus and ransomware protected, can improve security dramatically.