Recently a Norwegian aluminium and renewable energy company
called Norsk Hydro suffered a ransomware attack that paralysed parts of its
operations, and a full recovery of IT systems will take weeks or more. The
financial impact during the first week was estimated at $41m. Fortunately
Norsk Hydro has a cyber policy.
The ransomware strain, known as LockerGoga, is quite interesting as a new
attack technique was used – the malware doesn’t self-replicate or use external
command and control (c2) servers which makes it much less ‘noisy’ and therefore
more difficult to detect in the early stages.
What appears to have happened is the attackers have managed to get domain
administrator access (essentially the equivalent of the master key to an entire
building) and then distributed the malware on all machines from the domain
controller and triggered it on all devices simultaneously using each computer’s
full processing power to speed up the encryption (minutes no hours).
This is definitely a shift in ransomware attacks, with the attackers taking
time to target large manufacturing organisations, and spending time in the
target’s network preparing the attack to make sure it’s as crippling as
possible. It appears at this stage that Norsk isn’t paying the ransom and do
have backups. It also appears that they have standalone cyber cover
including BI cover.
What’s also interesting is that the Malware is signed, this means the software
has a legitimate digital signature (equivalent to the SSL certificates you see
on websites), which in most cases means windows and most
anti-virus software will assume it’s not malicious and let it run.
There appears to be a big gap here in that malicious actors seem to be able to
get legitimate certificates easily now.
Brand Management
Norsk Hydro needs to be congratulated for their great response. They have
been very open with staff, press and customers, and to see that their share
price has gone up is amazing. Also, they are an Office 365 customer so
that service kept on running for them, which must have made life much easier.
Spare a thought for the CEO who started the day before the attack!
Key Points
This attack highlights a few key issues for brokers;
Katherine (08) 7919 7019
2/46 Chardon St