[BreachExchange] Norsk Hydro May Have Lost $40M in First Week After Cyberattack

Destry Winant destry at riskbasedsecurity.com
Thu Mar 28 00:11:41 EDT 2019


Norwegian aluminum giant Norsk Hydro estimates that it may have lost
more than $40 million in the first week following the ransomware
attack that disrupted its operations.

In an update shared on Tuesday, the company said it’s too soon to
provide precise information on the financial impact resulting from the
cyberattack, but a rough estimate puts losses at between 300-350
million Norwegian crowns ($35 - $41 million). A majority of that
amount represents losses in the Extruded Solutions area, which has
been hit the hardest.

“Hydro has a solid cyber risk insurance policy with recognized
insurers, with global insurer AIG as lead,” the company stated.

On Tuesday, Hydro reported a production rate of 70-80% in Extruded
Solutions, including Extrusion Europe, Extrusion North America and
Precision Tubing. However, the Building Systems unit is almost
completely shut down. On Friday, the Extruded Solutions unit had been
running at roughly 50% of normal capacity.

“Based on current progress the expectation is for Building Systems to
gradually ramp up production and shipments during the week,” the
company said.

Hydro believes it could take weeks to fully restore all impacted systems.

The organization’s systems were infected with a piece of
file-encrypting ransomware — believed to be a version of LockerGoga —
starting on March 18. The incident caused disruptions at several of
its plants, forcing workers to rely on manual processes.

The company believes it has cleaned up all infected servers and
computers, and says it has begun restoring data. Shortly after the
incident came to light, the firm indicated that it had good backups in
place and it did not intend on paying any ransom.

A few days after Hydro disclosed the breach, two major US-based
chemical companies, Hexion and Momentive, also reported being hit by a
cyberattack and it’s believed that the LockerGoga ransomware was
involved in these incidents as well. The chemical firms were less
transparent, but some reports claim the attack took place prior to the
Hydro incident and they were forced to replace hundreds of computers.

Researchers have been keeping a close eye on LockerGoga. Some have
found that the threat does not encrypt files if certain types of
Windows shortcut files are found in a specific folder. Others noticed
that some of the later versions logged users out of compromised
systems, which would have prevented victims from seeing the ransom

More information about the BreachExchange mailing list