A dangerous ransomware attack has hit one of the world’s biggest aluminium producers. The Norsk Hydro plant in Norway was likely attacked by the so-called LockerGoga ransomware. The attack took place on Monday, March 18, and appears to be ongoing.
Details about the attack on Norsk Hydro
The attack was spotted by the IT staff of the company, with computer systems in most of its areas affected. It’s noteworthy that the LockerGoga ransomware previously hit a French engineering consulting company called Altran Technologies in January this year.
According to the official alert released by NorCERT, the intrusion also included an attack on Active Directory, which is utilized for authenticating and authorizing users and systems on a Windows domain type network.
In a press conference which took place on March 19, the director of NorCERT did not confirm that LockerGoga as the culprit for the attack on Hydro. What the director did say is that an attack involving LockerGoga ransomware is a key theory.
During the same conference, Eivind Kallevik, Norsk Hydro CFO confirmed that the nature of the attack is indeed ransomware. He described the situation as “quite severe”. The good news is that the company has good backup solutions, and the company plans to use them to restore its operations to normal, instead of paying the ransom.
According to the BBC, a spokesperson said that digital systems at Hydro’s main smelting plants were programmed to ensure machinery worked efficiently. Nonetheless, the systems had to be turned off at some of the facilities.
“They are much more reliant today on computerised systems than they were some years ago,” the spokesperson added. “But they have the option of reverting back to methods that are not as computerised, so we are able to continue production.”
Normal operations were also halted at some metal extrusion plants, where aluminium is processed into products such as building facades.
How was the attack started? Cybersecurity expert Kevin Beaumont believes that if the LockerGoga ransomware had been used, it would likely have been deployed to Hydro’s systems manually by an attacker, the BBC reported.
More about the LockerGoga ransomware
LockerGoga Ransomware encrypts the victim’s data and demands money in the form of a ransom payment to get it restored. Encrypted files are appended the .locked extension as a secondary one, without any changes made to the original name of an encrypted file.
After encryption the the ransomware typically creates a ransom note inside a text file. The note is named README-NOW.txt. Here’s what the ransom note reads:
The note reads the following:
There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.
To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.
To get information on the price of the decoder contact us at:
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security