Norsk Hydro Ransomware A Week Later: What Is The REAL Target?

No Gravatar

Going back to our previous blog on the ransomware attack that hit Norsk Hydro, in Norway, we’re hearing a bit more about the underlying piece of malware that was used in that attack, LockerGoga.  A brief article appeared yesterday on that outlined how ransomware is changing and why it is becoming more and more dangerous.

To begin with a bit of background, Ransomware is a nasty piece of malware whose mode of operation is to encrypt a user’s files until such time that the user pays the hacker a ransom to have their files “released” or unlocked.  At least that’s how it has worked in the past.  The LockerGoga malware has been changing as of late, with hackers more interested in targeting industrial and manufacturing complexes instead of going after a simple ransom.  Their intent is also becoming less clear, with less of a focus on making money on ransom and more of a focus on causing widespread damage.  

Attacks like that perpetrated on Norsk Hydro, caused an incredible amount of harm by taking away the factory’s ability to control their machinery, bringing manufacturing to a screeching halt.  In that attack, the monetary harm wasn’t limited to the company itself as it caused metal prices to spike on the London Metal Exchange because aluminum production from one of the world’s largest aluminum producers (Norsk) ground to a halt.  Extrapolating from this, hackers needn’t even bother with collecting a ransom from the attacked company anymore if the harm that they do can cause financial damage on the global markets!  Almost like a script from a movie; “hackers invest heavily in aluminum because they know a price spike (that THEY are about to cause) will net them big gains on the market”.

Here is what we know (a week later) from that attack:

  1. So far, the cost of this malware – and even though the company is back at 70 – 80% production – is NOK 300 – 350 MM or USD $40MM (see here).  Now this might not be much for a company that employs 36,000 people and has $18.47 billion in revenues; however, that represents 10% of their last year’s profit (which was $505m see here).  
  2. The impact to the industry is that the price of Aluminum went to a three-year high.   So now we have proof that such attacks can be more far-reaching and could have financial ramifications far beyond the ‘victim’.
  3. The malware’s starting infection itself is unknown though it seems to have come through RDP (which is a protocol commonly used by IoT/industrial applications for remote management).  Its goal is unknown – it started as ransomware asking to contact a certain e-mail address, but then it transformed into being ‘destructive-ware’, which, unlike typical ransomware behaviour, is wiping disks and forcing users off their machines.  Luckily, it does not use propagation techniques (YET!!!).   So, it seems it is trying to make recovery more difficult – See the very interesting ThreatPost article, which points out that the malware is now taking on “Wiper-like” characteristics; simply wiping out data instead of encrypting and requesting ransom. 

This new variant of LockerGoga, is proving that ransomware is now being weaponized; snatching all access from users, and not even allowing any way to pay a ransom.  Industrial operators affected by this malware are rendered completely powerless to control any of their machinery.  Having this much power is incredibly dangerous and the effects could be catastrophic.  If this were perpetrated on, say, a nuclear power plant, a water treatment plant or any industrial endeavour that provides essential services, this could cause some life and death situations.

As described in our earlier post, the industry’s current practice in defending against ransomware attacks is typically a routine update of antivirus software as well as regular backing up of essential files, securing email gateways and either separating critical data from network access, or at least protecting it.  Unfortunately, for most organizations, once a ransomware attack hits them, even if they have the appropriate back-ups, they will experience downtime (almost definitely!) as endpoints are re-imaged and data is restored from the back-ups.  The downtime becomes a scary thought in the instances where an essential service is affected.

Wedge again argues that for essential industries and services where even a small amount of downtime can be catastrophic, these organizations should instead contemplate implementing a “Detect and Block” mode of operation instead of the current “Detect and Remediate”.  If ransomware such as LockerGoga and its variants can be blocked in real-time, as it can with the use of the Wedge Advanced Malware Blocker, attacks like these can be a thing of the past, especially when variants of the ransomware are starting to take on a more malicious tone and are moving into the realm of simply wiping data instead of encrypting for ransom.  

As always, we offer the Wedge Advanced Malware Blocker FREE for 90 days.  If you are an organization who cannot afford the downtime faced in a typical ransomware attack, and could benefit from a solution that can detect and block all malware in real-time, please email our team at

About Wedge Chief Scientist

Husam Kinawi, Chief Scientist Dr. Kinawi has a PhD and MSc in Computer Science from the Universities of Calgary, Canada and London, UK. In 1997, he co-founded Mpower Technologies Inc., a wireless telecommunications software company. In 1999, Dr. Kinawi co-founded (NASDAQ: AIQT), a Boston-based e-Business applications firm. Dr. Kinawi has over seventeen years of research and development experience working with industry leaders such as Newbridge (Alcatel), Siemens, United Technologies, and Apple in the areas of distributed information systems, embedded applications and wireless Internet solutions. Dr. Kinawi has also spoken at several major conferences, published several research papers, and is the holder of several patents in the area of mobile and wireless devices.
This entry was posted in Industry News, Latest Security News and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Before you submit form:
Human test by Not Captcha