Norsk Hydro will not pay ransom demand and will restore from backups

Steel factory plant

After suffering a debilitating ransomware attack on Tuesday this week, aluminum producer Norsk Hydro is slowly starting to recover from the incident.

“Experts from Microsoft and other IT security partners have flown in to aid Hydro in taking all necessary actions in a systematic way to get business critical systems back in normal operation,” Jo De Vliegher, Head of Information Systems, said in a press release this week.

The company’s Chief Financial Officer (CFO), Eivind Kallevik, also said the company does not intend to pay the hackers’ ransom demand and has already started restoring its IT infrastructure from backups.

Overall, the incident has been described as disastrous by Hydro officials. The ransomware impacted Norsk Hydro’s production and office IT systems.

In the incident’s aftermath, systems that managed production equipment had their data encrypted and disconnected from the company’s network, preventing Norsk Hydro employees from managing factory equipment.

The company switched to manual operations, which didn’t impact production, but did slow down factory outputs and led to some temporary stoppages as employees figured out the best way to go about their work.

But the biggest impact was on Norsk Hydro’s office IT infrastructure. In two press conferences, held on Tuesday and Thursday, Kallevik said that not having access to customer orders was the biggest hurdle they had to deal with in keeping production lines going.

Plants in Europe and the US were the most impacted, Kallevik said, and especially the divisions producing extruded and rolled aluminum products. In these factories, employees had problems connecting to production equipment, according to a status update provided yesterday, and frequent stoppages and production line restarts occurred.

Norsk Hydro status

Norsk Hydro status

Imge: Norsk Hydro

The Norsk Hydro exec declined to provide in-depth details about the incident itself, citing an ongoing law enforcement investigation.

However, enough information has leaked onto the internet from other sources for some very plausible theories and explanations of what happened inside Norsk Hydro to appear –such as one from infosec expert Kevin Beaumont.

Based on ransomware samples uploaded on aggregated malware scanner service VirusTotal, and based on an analysis of the features found in the samples, the Norsk Hydro incident appears to have happened after hackers breached the company’s network and moved laterally until they gained access to an Active Directory server.

Beaumont says the LockerGoga ransomware lacks the self-propagating features found in WannaCry, NotPetya, or Bad Rabbit, and the only way so many Norsk Hydro plants could have been impacted at the same time was if hackers used the company’s central Active Directory server to push the ransomware to all of Norsk Hydro’s workstations at the same time.

The British researcher also noted that the LockerGoga ransomware was also coded to work very fast, utilizing “every CPU core and thread during encryption.”

“On an average system within a few minutes, it is toast,” he said in an analysis he published yesterday.

In addition, the ransomware also disabled network cards on all infected systems and changed the local admin account’s password. Both operations were done to prevent recovery operations, such as pushing out backups from a remote server to quickly recover infected systems.

Because of this, backups need to be deployed manually, by hand, to each affected PC.

The only thing Hydro employees could do after the ransomware was deployed was to use their local non-admin accounts to log into the infected workstation, where they’d see the LockerGoga ransom note opened on their screens.

LockerGoga ransom note

LockerGoga ransom note

Image: Kevin Beaumont

Beaumont’s (well documented) theory of what could have happened inside Hydro on that day can be somewhat confirmed by a security alert sent out by the Norway Computer Emergency Response Team (NorCERT) on the day of the incident, warning companies about attacks carried out via Active Directories with the LockerGoga ransomware.

Norsk Hydro marks the second major company infected by the LockerGoga ransomware after the malware was also found on the network of Altran Technologies, a French engineering consulting firm, in late January.

While most infosec experts are classifying the LockerGoga ransomware infection as a cybercrime-related incident, with crooks trying to extort money from a hacked company, there is also another theory slowly taking form.

That theory is based on a blog post by cyber-security firm Cisco Talos that highlighted some LockerGoga features are specific to wiper (destructive) malware, rather than ransomware. Some security researchers are now looking at the Norsk Hydro attack as a nation-state hacker group which noticed that it had been detected and decided to mask their presence by deploying LockerGoga on Hydro’s network, in an attempt to fool incident responders. However, this is only a theory, with no supporting evidence, which mainly took shape after another Norwegian company, cloud provider Visma, admitted last month of getting hacked by Chinese state hackers.

More ransomware coverage:

READ MORE HERE