Norwegian aluminium company Norsk Hydro today revealed it had been hit by a severe ransomware attack that knocked out its worldwide computer network and has forced it to use manual processes for some operations.
“Let me be clear, the situation for Hydro is quite severe,” Norsk Hydro’s chief financial officer Eivind Kallevik said at a press conference today, confirming it had been infected with file-encrypting ransomware that spread globally via an initial infection within its US operations.
“The entire worldwide network is down, affecting our production as well as our office operations. We are working hard to contain and solve the situation and to ensure safety and security of our employees.”
The company said the attack was noticed around midnight in Norway, Central European Time.
Norsk Hydro is one of the world’s largest aluminium suppliers, with around 35,000 employees in 40 countries.
The company cannot currently connect to production systems within its extruded solutions business, which caused stoppages at several plants.
The Hydro Extruded Solutions business is a significant part of the company with 100 production sites in 40 countries. The unit supplies aluminium-based components to businesses in electronics, automotive, construction, engineering and other industries.
The company has isolated its plants from its worldwide IT network in a bid to stop the ransomware spreading between plants and is now on a hunt to identify and find for a “cure” for the malware.
The Norwegian National Security Authority, Norway’s lead agency on cybersecurity, said it was investigating whether the ransomware known as LockerGoga was the source of the infection.
Asked whether Hydro was considering paying a ransom, Kallevik said the company has “good backup solutions” and that these were the main method it was now seeking to restore IT systems.
As of today, financial losses are minimal but as the situation goes on there will be an impact, according to Kallevik.
He said the company today has handled customer orders by printing out lists, but noted it ultimately needed to restore IT systems to access customer orders. Employees are still able to use smartphones and tablets to communicate over email.
A report from Norwegian national radio broadcaster NRK quotes a NorCERT alert to businesses today that Norsk Hydro was infected by LockerGoga.
As noted by BleepingComputer, the relatively knew LockerGoga ransomware is believed to have been used in an attack in January on French engineering firm Altran Technologies.
The Norwegian National Security Authority confirmed to Reuters that Norsk Hydro had been infected with LockerGoga.
As per Motherboard, researchers at the group MalwareHunterTeam found a LockerGoga sample on VirusTotal that was uploaded on Tuesday, a day after it spread through Norsk Hydro's IT network. The ransom note says the price in Bitcoin of its "exclusive" decryption software "depends on how fast you contact us."
Hydro has taped a paper note on its front door warning employees not to connect any devices to the Hydro network.