Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

Ransomware Attack Costs Norsk Hydro $40 Million - So Far

Norwegian Aluminum Maker Still Fighting LockerGoga Ransomware Attack
Ransomware Attack Costs Norsk Hydro $40 Million - So Far
Norsk Hydro's home page

Norsk Hydro reports that a March 18 ransomware attack has already cost the aluminum manufacturer more than 350 million Norwegian krone ($40 million), and the company continues to bring its systems back online.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

Those costs mostly reflect revenue losses, but they also include the cost of recovery and IT and security services, says Norsk Hydro, the second-largest employer in Norway that has operations around the world.

A little over a week after the ransomware attack was first reported, the majority of the company's manufacturing facilities and systems have returned to normal, although the firm's Extruded Solutions division is running at 70 percent to 80 percent of capacity, the company reported Tuesday. That division produces extruded and rolled aluminum products for the company. Most of the financial losses from the attack stem from the lack of production within that unit, which has facilities in several countries.

Norsk Hydro's four other divisions are running normally, although some require greater manual operations.

"A week later we are relieved to be able to confirm that we have mostly managed to maintain our operations, customer deliveries and other internal and external obligations," says CFO Eivind Kallevik. "Our global IT organizations, operators and support functions have done a tremendous job during this period. And through their impressive determination, ingenuity and experience, they found new and alternative ways to keep our wheels turning despite the impact on our IT capabilities."

Recovery Mode

Since that ransomware attack on March 18, Hydro's IT and security teams have isolated the malware to prevent it from spreading further, according to the company. At the same time, the company has been using its various back-up systems to recover data.

Hydro announced that it does not intend to pay the ransom.

While it remains early in the process, Kallevik notes that the $40 million cost estimate is likely to rise over the coming weeks, although not as rapidly as during the first week of recovery. The company has cyber insurance with AIG, he adds, but he didn't say whether the policy will cover lost revenue as well as the cost of cleaning up from the attack.

It's not yet clear whether the total costs of the attack will be comparable to some other recent ransomware incidents that targeted corporations.

For instance, Danish shipping company A.P. Møller - Maersk reported a loss of $200 million to $300 million following an attack linked to the NotPetya ransomware. Another victim of the NotPetya attack, U.K.-based Reckitt Benckiser, which makes household and pharmaceutical goods, reported a loss of approximately $129 million.

LockerGoga Suspected

Hydro apparently was hit by a relatively new strain of ransomware known as LockerGoga. Attackers can use a number of different methods to deliver the malware into a network, including using stolen remote desktop protocol credentials, brute-force methods, phishing emails or targeting an unpatched vulnerability, according to British security researcher Kevin Beaumont as well as other security researchers.

In the case of Hydro, the attackers appear to have used the company's Active Directory services to spread the ransomware through endpoints, according to Norway's Computer Emergency Response Team.

Since the beginning of the year, LockerGoga has been suspected in four attacks. The other attacks targeted French engineering firm Altran as well as a pair of chemical manufacturing facilities in the U.S.

In all four cases, LockerGoga was used as part of a targeted attack that focused on one company or enterprise as a victim, according to Beaumont and other security researchers. The ransomware does not work in the way that WannaCry or NotPetya spread from one infected system to another, and it could leap from business to business.

"Currently LockerGoga does not support any worm-like capabilities that would allow it to self-propagate by infecting additional hosts on a target network," according to Palo Alto Network's Unit 42, which has published an analysis of the ransomware. "We have observed LockerGoga moving around a network via the server message block (SMB) protocol, which indicates the actors simply manually copy files from computer to computer."

In another analysis, Cisco Talos researchers noted other anomalies with LockerGoga, including the fact that the threat actors behind the attack have not offered victims a specific bitcoin or Monero wallet where a ransom could be deposited, but instead asked to be contacted through an email address for instructions.

In addition, Cisco Talos pointed out that LockerGoga encrypts each file individually, which requires significant overhead.

Growing Level of Sophistication

Unit 42 researchers observe that whoever is behind LockerGoga appears to be adding new capabilities to the ransomware, including the ability to manipulate WS2_32.dll, a dynamically linked library in Windows that is used to handle network connections, as well as the use of undocumented Windows APIs. This shows a growing level of sophistication that may eventually lead to the ability to install command-and-control capabilities.

Unit 42 notes: "These features raise more questions about the actor's intent as ransomware is typically one of the least advanced forms of malware: Are they motivated by profits or something else? Has the motive change over time? Why would developers put such effort into their work only to partially encrypt files? Why do they include an email address and not seek payment through more frequently used cryptocurrencies?"

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.