Throwback Attack: Norsk Hydro gets hit by LockerGoga ransomware

Courtesy of Brett Sayles

To pay or not to pay: It’s an essential and fraught question in regards to ransomware attacks. When multinational aluminum manufacturer Norsk Hydro was hit with a cyberattack in 2019, they chose not to pay in a response hailed by law enforcement organizations and the information security industry as the “gold standard,” according to a BBC report. Still, the company suffered serious consequences from the breach, which is believed to have cost around $75 million to remediate.

Members of the Oslo, Norway-based company awoke on March 19, 2019, to discover they were the victim of a cyberattack of unknown origin. What investigators would soon determine as the LockerGoga ransomware had infiltrated Norsk Hydro’s computer systems and encrypted files across company functions. The manufacturer released a statement on the attack, offering the security industry a peek into its scope, shortly thereafter.

“On March 19, 2019, Hydro was hit by an extensive cyber-attack. The attack affected our entire global organization, with the business area Extruded Solutions having suffered the most significant operational challenges and financial losses. Hydro’s other business areas – Bauxite & Alumina, Primary Metal, Rolled Products and Energy – was able to produce close to normal despite the attack, although based on work-intensive workarounds and manual procedures.”

As one of the largest aluminum producers on the planet, Norsk Hydro knew taking systems offline would cause a huge disruption. They worked around the clock to resolve the situation as quickly as possible, but they were still forced to close plants and move others to manual operations.

“All PCs and servers across the company was reviewed, cleaned for any malware and safely restored, according to strict guidelines to ensure security and safety,” read the company statement. “Encrypted PCs and servers were rebuilt based on back-ups. We have reorganized our security team to better detect and respond to cyber incidents.”

Despite a quick response from Norsk Hydro, the damage was extensive. The LockerGoga ransomware had compromised information technology (IT) systems and impacted all company employees — more than 35,000 — across the 40 countries in which the aluminum giant had operations. A ransom note appeared on the screens of affected terminals demanding payment in bitcoins.

“Greetings!” the note began. “There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms. … Without our special decoder it is impossible to restore the data.”

By the time of this attack, major companies had become familiar with ransomware, thanks to variants like WannaCry and NotPetya, but LockerGoga was something different. While those malware strains encrypted files and demanded money, LockerGoga crippled the entire enterprise, forcing Norsk Hydro to shift some of its plant operations back to manual procedures to fill orders. Employees figuratively went back in time, from doing their jobs on computers to using pen and paper. Some retired employees, who were familiar with doing the work manually, even volunteered to return to their jobs to keep things running.

Norsk Hydro benefitted from being a mature company with strong cybersecurity practices, which actually made them a questionable target for hackers. In a white paper on the subject, industrial cybersecurity company Dragos posited the LockerGoga attack could have been primarily designed as a disrupter, as opposed to seeking a real payout from the company. Dragos said this attack “provides a blueprint for malicious entities to weaponize ransomware variants for disruptive purposes.”

While it’s still unclear how hackers gained access to the company’s network, researchers believe they already had the target’s credentials at the beginning of the intrusion. Wired did a deep dive into LockerGoga shortly after the Norsk Hydro attack in 2019, in which they explained how the malware works.

“After they obtain a network’s highest privilege ‘domain admin’ credentials, they use Microsoft’s Active Directory management tools to plant their ransomware payload on target machines across the victim’s systems,” Andy Greenberg wrote in Wired. “That code … is signed with stolen certificates that make it look more legitimate. And before running their encryption code, the hackers use a ‘task kill’ command on target machines to disable their antivirus. … LockerGoga then rapidly encrypts the computer’s files.”

According to the same article, once the files are encrypted, LockerGoga then “disables the computer’s network adapter to disconnect it from the network, changes the user and admin passwords on the computer, and logs the machine off.” By this point, victims can no longer see the ransom message and might not even realize they’ve been hit with ransomware.

The things that really set this attack apart were Norsk Hydro’s refusal to pay the ransom and their transparency throughout the process. Major companies that suffer a cyberattack are often tight-lipped about what is happening in an attempt to contain the damage to their operations and reputation. But Norsk Hydro immediately alerted Norwegian and international authorities and enlisted internal and external help. Senior staff held regular webcasts where they answered questions; executives held daily press conferences; the company posted updates on Facebook; and Norsk Hydro welcomed journalists into their control rooms.

The LockerGoga ransomware also impacted Altran Technologies, a French engineering consultancy, and U.S. chemical manufacturing firms Hexion and Momentive.




Keep your finger on the pulse of top industry news