Norsk Hydro, the Norwegian aluminium and renewable-energy company, was hit by the LockerGoga ransomware on Monday night into Tuesday morning, with the encryption running across the company's global IT estate and producing operational disruption across smelter, extrusion, and rolled-products operations in multiple countries (Norsk Hydro press conference, March 19 and continuing public updates). The company has chosen to refuse to pay the ransom, to disclose openly throughout the response, and to operate the affected business units on manual control where possible while the IT recovery proceeds in parallel. The transparency of the response is, by 2019 incident-disclosure standards, exemplary.
The technical content. LockerGoga is a ransomware family that has been active since approximately late 2018, with previous attributed targets including the engineering firm Altran in February. The malware encrypts files on infected hosts, demands a ransom in Bitcoin, and has, on the public analysis, an unusual destructive sub-feature: in some samples it disables the affected user's Windows account, which removes the affected user's ability to interact with the host even after the encryption is complete. The propagation mechanism is, on the public information, manual rather than automated — the attackers gain initial access (mechanism varies by case, with credential compromise being the common pattern) and then deploy the encryption manually across the targeted estate using legitimate Windows administrative tools. The pattern is consistent with the targeted-rather-than-mass-spread ransomware shift that I noted in the January opening post.
For the operational handling, the Norsk Hydro response has been, on the public reporting, structurally sound. The IT incident response team has been working with NorCERT, with KPMG, and with Microsoft DART. The operational continuity teams have managed manual control of the smelter and extrusion operations — aluminium smelter operations in particular cannot be stopped without substantial damage, so the manual-control posture is operationally significant. The communications have been clear, frequent, and substantive, with daily press conferences and detailed customer-facing updates. The decision to refuse the ransom is the right decision and is consistent with the broader principle that ransom payments fund continued operations and produce no guarantee of decryption; the customer-organisation conversations I am having this week have all included Norsk Hydro as the worked example of how to handle the no-ransom decision in a way that preserves the company's operational and reputational position.
The cost will be substantial. Norsk Hydro's preliminary estimate of the financial impact is in the $40-55 million range for the first quarter of 2019, with the expectation that the full-year impact will exceed that figure. The cyber-insurance recovery is expected to cover a substantial fraction of the cost. The operational disruption to customers — Norsk Hydro is a substantial supplier in the global aluminium supply chain and the manufacturing customers downstream are seeing delivery-schedule disruption — has secondary cost implications across the value chain. The aggregate cost is substantial in the way that targeted ransomware cost has been substantial throughout 2018 and is going to continue to be through 2019.
For the customer briefings, the Norsk Hydro case is going to be a reference for the rest of the year. Three things about it. First, the no-ransom posture is operationally feasible if the recovery infrastructure is in place and the executive leadership is prepared for the cost. The customer-organisation business-continuity-planning conversations need to incorporate the worked example. Second, the transparency posture has commercial advantages — Norsk Hydro's share price has held up substantially better than would have been expected for an incident of this scale, on the public reporting because the market has rewarded the transparency rather than penalising it. Third, the operational-technology / information-technology boundary is the part of the architecture that gets stressed in incidents of this nature; Norsk Hydro's ability to fall back to manual control was the critical operational capability and is the kind of resilience that needs to be planned, exercised, and maintained.
For the manufacturer in our portfolio, the Norsk Hydro case has produced a substantive board-level conversation about OT/IT segmentation and manual-control fallback that has, frankly, been overdue for two years. The conversation is now happening; the Q2 customer-engagement work is going to include OT-resilience as an explicit programme component, separately from the GDPR-driven IT-side data-protection work. The two programmes are complementary and the customer-organisation funding for both is more readily available with the Norsk Hydro case in the press.
I will return to this as the Norsk Hydro recovery proceeds. The transparency posture means that there will be ongoing public detail to learn from.