Notes posted on a window at Norsk Hydro's headquarters in Norway on March 19, 2019.  Getty Images
One of the world's largest manufacturers of aluminum has been hit by a serious ransomware attack that knocks down its worldwide network, stopped or disturbed plants, and sent IT workers scrambling to return operations to normal.
Norsk Hydro by norway said malware first hit computers in the US on Monday night. By Tuesday morning, the infection had spread to other parts of the company, operating in 40 countries. The company's officials reacted by isolating plants to prevent further spread. Some plants were temporarily stopped, while others, which had to be kept running continuously, were switched to manual mode whenever possible. The company's 35,000 employees were asked to shut down computers, but were allowed to use phones and tablets to check email.
"Let me be clear: the situation for Norsk Hydro through this is quite serious," says CFO Eivind Kallevik during a press conference Tuesday. "The entire worldwide network is down, which affects both production and office operations. We work hard to contain and solve this situation and to ensure the safety of our employees. Our main priority now is to ensure safe operations and limit operational and financial consequences. "
According to Kevin Beaumont, who in his own capacity as an independent researcher and quoting local media reports, ransomware who infected Norsk Hydro, known as LockerGoga said that LockerGoga does not rely on network traffic or on domain namesystems or command and control servers, properties that allow ransomware to bypass many network defenses An independent research group calling itself MalwareHunterTeam pointed to this LockerGoga sample uploaded to VirusTotal from Norway on Tuesday morning, at which time malware was first scanned, it was discovered by only 17 of the 67 largest AV products, although the detections increased when an awareness of the Norsk Hydro infection grew, Malware had also been digitally signed by the security company Sectigo, but the certificate was revoked at an unknown time.
A text file as the attackers followed with malicious software, contained the following:
There was a significant error in zigzag The beauty of your business. You should be grateful that the mistake was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder, it is impossible to recover the data. Attempting to recover your data with third-party software such as Photorec, RannohDecryptor etc. will cause irreversible data corruption.
The note continued to offer decryption of up to three files selected by the reader to prove the authenticity of the claim. It also requires a redemption price of an unspecified amount to be paid in bitcoin.
During Tuesday's press conference, an official of the State Security Authority stopped briefly to confirm that Norsk Hydro was infected by LockerGoga, and said only that it was a "one of those theories." LockerGoga may have been used two months ago to infect The systems of French engineering consultant Altran, Bleeping Computer, reported.
Norwegian Hydro shares traded about 0.7 percent after the infection's report. Aluminum futures on the London Metal Exchange rose in line with other metals, Bloomberg News reported
While Kallevik, Hydra CFO, said that the majority of the company's factories functioned normally, he said that network interruptions prevented the plants from receiving future orders from customers. He said the losses at the moment were "minimal", but he admitted that they would grow over time if automated systems were not restored. Kallevik could not provide any timetable for how long it would take to disinfect the network.
He said the company's IT team is working to remove ransomware from infected systems. When done, the teams plan to recover lost data using corporate security systems, which Kallevik describes as "good". Asked by a reporter if the company would rule out paying the required ransom, the finance director said "the main strategy is to use backup."