Norwegian aluminum manufacturing giant Norsk Hydro said it is making progress in securing its IT systems after a new strain of ransomware forced it to shut down several automated product lines and switch smelters to manual production processes.
According to Bloomberg News, the company said it “still does not have the full overview of the timeline towards normal operations, and it’s still too early to estimate the exact operational and financial impact.”
“Progress has been made, with the expectation to restart certain systems,” the company said. This will “allow for continued deliveries to customers.”
The attack, which began early Tuesday morning, is believed to have started in the U.S. In response the company shut down its global IT network. Norsk Hydro is restoring systems from back-up data. It has refused to pay any ransom.
According to a report on security vendor Kaspersky’s web site, Hydro told reporters its security team first noticed some unusual activity on the company’s servers at midnight. They saw that the infection was spreading and tried to contain it. They succeeded only partially; by the time they isolated the plants, their global network was infected.
The company’s power plants were not affected at all because they were isolated from the main network. However, smelting plants were not isolated so some in Norway were hit. Hydro has managed to make some of them fully operational, although in semimanual mode. But, Hydro said, “lack of ability to connect to the production systems caused production challenges and temporary stoppage at several plants.”
According to security reporter Graham Cluley, the Norwegian National Security Authority (NSM) said the company was infected with the relatively new LockerGoga ransomware.
A typical LockerGoga victim would see a message like this on their screens:
There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.
The message then asks the victim to send a few files for decryption, presumably to prove the attacker can do it. The final price for decrypting all files, the message warns, depends on how fast the attacker is contacted.
In a research note Cisco Systems’ Talos threat intelligence service said LockerGoga has been seen in two versions: One is similar to other ransomware in scrambling files and asking for money. The other forcibly logs the victim off of the infected systems and removes their ability to log back in. As a result in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands. These versions Talos calls destructive ransomware.
Barak Perelman, CEO of industrial security vendor Indegy, said in a statement that so far there is no evident Norsk Hydro was specifically targeted. “It is safe to assume that this was a generic ransomware type of attack similar to Wannacry.”
“This incident illustrates the risks associated with connecting industrial control system environments to IT networks and/or the internet. The two main problems have to do with patching and recovery of OT (operational technology) systems. Many ICS devices are end of life, so vendors do not issue patches for them. Therefore, they cannot be patched against known vulnerabilities. Second, many operators have not invested in security and monitoring tools. This makes it difficult to detect attacks until it’s too late. Meanwhile, restoring ICS systems from backups is often not possible since logs and back-ups don’t exist. Without tools that provide visibility and security controls across both IT and OT environments, nuisance attacks like this one are difficult to defend against and can cause material damages to operations.”
Phil Neray, vice-president of industrial cybersecurity at industrial security vendor CyberX, said in a statement that manufacturing companies are an obvious target for ransomware because downtime is measured in millions of dollars per day. That means some CEOs are eager to pay. “Plus the security of industrial networks has been neglected for years,” he added, “so malware spreads quickly from infected employee computers in a single office to manufacturing plants in all other countries. These attacks are especially serious for metal or chemical manufacturers because of the risk of serious safety and environmental incidents, and the bottom-line impact from spoilage of in-process materials and clean-up costs.”