Hackers forced one of the largest producers of aluminum to shut down its network worldwide, switching to manual operations, and using only tablets and cellphones for their internal communications.
Around midnight local time, the Norwegian manufacturer Norsk Hydro said it detected a ransomware attack that started in one of its American plants.
“The entire worldwide network is down affecting our production as well as our office operations,” Hydro’s chief financial officer Eivind Kallevik said during a press conference on Tuesday.
Employees working for Hydro were asked not to connect to the internal Wi-Fi and not to turn on any devices connected to the network, as seen in a photograph of a notice posted at the entrance of the company’s headquarters, taken by Reuters.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Kallevik said the company was still using computers in certain parts of its operations, and said it was “impossible” to tell if all computers were off given that Hydro has 35,000 people in 40 different countries.
“We still continue to operate mail systems through tablets and telephones, so it’s still possible to work in 2019 mode for many parts of our operation,” he said.
When contacted via email, a Norsk Hydro spokesperson referred us to the press conference.
At this point, neither Hydro nor the Norwegian National Security Authority (NNSA), which is helping the company deal with the attack, have identified the particular strain of ransomware that caused havoc. Multiple reports, however, point the finger at LockerGoga, a relatively new type of ransomware that is also alleged to have hit the French company Altran Technologies last month. During the press conference, a representative from NNSA said LockerGoga is one of the hypotheses the agency is looking at.
MalwareHunterTeam, an independent group of researchers that studies malware, found a sample of LockerGoga on VirusTotal, an online repository of malware. The sample was uploaded from Norway on Tuesday, according to VirusTotal data.
In another sample of LockerGoga, from March the malware displays a message similar to that of other ransomware, warning the victim that files are encrypted and that only the hackers who made the malware can decrypt them.
“You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun,” the message reads, according to a screenshot of it posted by MalwareHunterTeam. “We exclusively have decryption software for your situation [...] The payment has to be made in Bitcoins. The final price depends on how fast you contact us.”
The message does not mention a specific price, but instead asks the company to contact two email addresses. At the time of publication, the people behind those emails had not responded to a message from Motherboard.
Asked whether they plan to pay the ransom, Kallevik said that the plan is to restore the data from backups. He also said the hackers did not mention a specific sum of money.
The attack led to an increase in aluminum prices to a three-month high, according to Reuters.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.