Police investigate Norsk Hydro ransomware attack

Norwegian aluminium producer Norsk Hydro says production is continuing as normal due to manual workarounds as the company prepares to restart affected IT systems.

The company said it was trying to be as transparent as possible, but admitted it still did not have all the answers regarding the ransomware attack that was detected in the early hours of Tuesday 19 March.

“Yesterday was a hectic day for all of us and there was considerable uncertainty throughout our global organisation about how this malware could impact our people, business and customers,” Norsk Hydro’s chief financial officer, Eivind Kallevik, told a news conference in Oslo.

He congratulated the company’s 35,000 employees, spread across 40 countries and five different business areas, for responding to the attack with “extreme” professionalism, speed and determination, and thanked the “relevant authorities” for their support.

The ransomware attack is under investigation by Norway’s national police investigation service, said Kallevik.

As a result, he said he was unable to answer any questions about the attack, such as the potential threat actors behind it, the country of origin, how long the threat actors had been inside the network before they were detected, and what systems had been accessed.

A day after the attack, Kallevik said the company did not yet have a fixed timeline on restoring all of its IT systems, but he said progress had been made overnight, including identifying a signature for the ransomware to enable the clean-up process to begin.

Kallevik said the company planned to get some of the affected systems running again in the course of the day to extract customer data and orders to continue deliveries as normal.

He reiterated that Norsk Hydro’s recovery strategy was to remove the ransomware from all affected systems and restore data from its backup systems.

Kallevik said several cyber security companies were supporting the investigation and recovery process, and while it was too early to assess the financial impact of the attack, he said there was no indication yet that Norsk Hydro was losing business as deliveries continued according to schedule.

Asked about cyber insurance, he said the company had a “good and strong” cyber insurance policy in place with “reputable international insurance firms” that covered business interruptions.

Kallevik did not provide any details of the ransomware, but the Norwegian National Security Authority (NSM) identified it as LockerGoga, which was linked to an attack on French engineering consultancy Altran Technologies in January, according to Reuters.

There were no signs of similar attacks on other Norwegian companies or public institutions, according to NorCERT, a unit of the NSM handling cyber attacks, which described the attack on Norsk Hydro as an “isolated event”.

LockerGoga is able to encrypt 19 common file types, including files with extensions like .doc, .dot, .docx, .xlm, .ppt, .pps and .pdf, and once done, all targeted files are encrypted with the extension .locked, according to Nozomi Networks Labs, which has analysed the ransomware.

At the end of the encryption phase, researchers said a file called README-NOW.txt is dropped inside the filesystem. The text informs recipients that their data has been encrypted.

The message claims that a special decoder is required to restore the data and warns that any attempts to use third-party software to do so will lead to “irreversible destruction” of the data.

The message goes on to provide links for the ransomware victims to use to find out how much they are required to pay in bitcoins for the decryption tool.

According to researchers, LockerGoga is not able to spread itself to other targets, which has sparked speculation that the attacker must have had physical access to Norsk Hydro’s IT systems.

“It seems to implement some anti-analysis techniques to hide itself from analysts. For example, it seems to detect the presence of a virtual machine and have the capability to delete itself from the filesystem trying to avoid the sample collection,” said the Nozomi researchers.

Due to the absence of custom and complex capabilities such as command and control servers and beaconing, the researchers said the aim of LockerGoga appears to be disruption and not espionage.