Norsk Hydro, a Norwegian energy and aluminium producer, has been hit by a ransomware attack, which has shut down the global network. In addition, all installations have been shut down or disrupted. According to researcher Kevin Beaumont, this is LockerGoga, a ransomware that is not dependent on the use of network traffic, domain name system or command and control servers, according to ArsTechnica.
This independence makes it possible for LockerGoga to bypass many network defences. Computers in the US were the first to be affected on Monday evening, but other parts of the company in more than forty countries were soon affected as well. Norsk Hydro immediately stopped production where possible or switched to manual mode. All over 35,000 employees were instructed to keep their computers switched off and, if necessary, to continue their work via their phones or tablets.
The situation for Norsk Hydro is therefore quite serious. The entire global network has failed, affecting both our manufacturing and office operations. We work hard to control and resolve this situation and to ensure the safety and security of our employees. Our main priority now is to ensure safe operations and to limit the operational and financial impact, says Eivind Kallevik, CFO of Norsk Hydro.
Ransomnote
The criminals responsible had their attack accompanied by an accompanying letter:
There was a significant failure in your company’s security system. You should be grateful that the mistake was exploited by serious people and not by a few rookies. They would have accidentally or for pleasure damaged all your data. Your files are encrypted using the most powerful military algorithms, RSA4096 and AES-256. Without our special decoder, it’s impossible to recover that data. Attempts to recover your data using third-party software, such as Photorec and RannohDecryptor, will result in irreversible destruction of your data.
The hackers also offered files to decrypt the malware and asked for an unknown amount in bitcoin.
Norsk Hydro states that the majority of its plants are operating normally, but the closure of the network means that new orders cannot be accepted. For now, the losses are minimal, but they may increase if the automated systems are not restored quickly. IT teams would currently be working on the removal of the ransomware, after which any lost data would be recovered using enterprise backup systems.
Altran, Bleeping Computer
It is not known how long this operation will take, but it is known that Norsk Hydro would refuse to pay the ransom. The share of Norsk Hydro decreased about 0.7 percent after the infection became known. The Norwegian National Safety Authority does not confirm that Norsk Hydro is infected by LockerGoga, but does mention it as one of the theories. The same ransomware may have been used two months ago to shut down systems from the French engineering firm Altran, Bleeping Computer.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.
23 minutes ago
