What We Can Learn from the Ransomware Attack That Crippled Norsk Hydro

Cryptojacking may be the hot new trend in large-scale cybercrime, but ransomware is still alive and well.

Maria Korolov

March 25, 2019

4 Min Read
Melting plant

Ransomware is so 2017, right? Hackers have moved onto cryptojacking, which offers faster and more reliable revenue streams.

Not so fast, say cybersecurity experts. Data center managers should still worry about ransomware, because attackers keep innovating to evade defenses, and because the risk of damage is extremely high.

There's been an increase in targeted ransomware attacks this past year, Justin Warner, director of applied threat research at Gigamon, said. "Anyone responsible for the security and operations of IT assets needs to be prepared for the possibility of destructive attacks, as they affect companies of all sizes and all industries.”

Last Tuesday’s major ransomware attack on Norsk Hydro is a case in point. The Oslo-based company is one of the world’s largest aluminum producers.

Office IT systems and factory equipment management systems went down. The company had to switch to manual smelter operations, which slowed or stopped production.

On the day of the attack, when employees came to work they saw hand-written notes on the front doors, warning them not to connect any devices to the Hydro company network.

"Posting handwritten notes at building entrances warning against connecting to the corporate network is perhaps the worst nightmare for IT," Mark Sangster, VP and industry security strategist at eSentire, an Ontario-based cybersecurity firm, said.

Related:Ransomware Grows Up, Goes After Data Centers

The company said Friday it had found the root of the problem and was in the process of restoring infected systems from backups. Its operations continued suffering into this week. Its major extruded solutions division, for example, was at 50 percent of capacity Friday, with the company saying it expected it to get up to 60 percent by Monday.

"Hydro still does not have the full overview of the timeline towards normal operations, and it is still too early to estimate the exact operational and financial impact," the company said in a statement.

That's the thing about ransomware – it does damage. The more damage it does, the more likely people are to pay a ransom to the attackers.

"We’ve left the age of transactional crime, and now live in one of targeted, sometimes vindictive strikes seeking large sums of money," Sangster said.

Cryptojacking, by comparison, is designed to be as stealthy as possible. Yes, it will cost data centers money in terms of additional energy costs or higher bills from cloud computing providers, but it's in the attackers' interest to keep the hit modest, so the malware doesn't get shut down.

The malware that hit the aluminum processor is reportedly called LockerGoga. It appeared in January.

"We don’t yet have all the details, but one point that seems clear is that this attack leveraged the organization’s own infrastructure, in this case Active Directory and Group Policy, to help itself spread," Darren Mar-Elia, head of product at Semperis, a New York-based cybersecurity vendor, said.

That's different from how ransomware typically spreads and would have made it more difficult to detect. But there are still steps companies can take to minimize risk from such attacks.

"We know that the attackers gained Domain Admins access on Active Directory in order to use that infrastructure to spread," Mar-Elia said. "Hardening your infrastructure using a least privilege approach can help tremendously."

The incident also underscores the need to keep critical systems isolated from one another, Barak Perelman, CEO at Indegy, a New York-based cybersecurity firm, said.

That's especially important for industrial control systems (ICS) – not only those used by manufacturers like Norsk Hydro, but also data center management systems. "Many ICS devices are end-of-life, so vendors do not issue patches for them," he said. "Meanwhile, restoring ICS systems from backups is often not possible, since logs and backups don't exist."

Data centers should be particularly wary of ransomware, not only because of its damage potential but also because data centers can be particularly attractive targets for ransomware attackers, Bill Siegel, co-founder and CEO at Coveware, a Westport, Connecticut-based ransomware response company.

"From the outside, a data center appears to be a very large organization given the amount of servers in the network," he said. "It is not uncommon for a ransomware threat actor to think a small data center is actually a very large company" and set the ransom size accordingly.

"In cases like this, it is not uncommon for the ransomware threat actor to refuse to negotiate to a level the data center can afford," he added. "Permanent data loss can occur if no backups are available."

Read more about:


About the Author(s)

Maria Korolov

Maria Korolov is an award-winning technology journalist who covers cybersecurity, AI, and extended reality. She also writes science fiction.


Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like