An aluminium and renewable energy company has suffered a sophisticated ransomware attack that paralysed parts of its operations.
A full recovery of IT systems will take weeks or more at Norwegian company Norsk Hydro. The financial impact in the first week alone was estimated at $41 million. Fortunately Norsk Hydro has a cyber policy.
The ransomware strain, known as LockerGoga, was a new attack technique – the malware doesn’t self-replicate or use external command and control (c2) servers so it is much less ‘noisy’ and therefore more difficult to detect in the early stages.
The attackers managed to get domain administrator access (essentially the equivalent of the master key to an entire building), distributed the malware on all machines from the domain controller, and triggered it on all devices simultaneously using each computer’s full processing power to speed the encryption (minutes not hours).
It was definitely a shift in ransomware attacks, with the attackers taking time to target large manufacturing organisations, and spending time in the target’s network preparing the attack to ensure it was as crippling as possible. It appears Norsk is not paying the ransom and has backups. It also appears the company has standalone cyber cover, including BI.
The malware was signed, which means the software has a legitimate digital signature (equivalent to SSL certificates on websites). That means, in most cases, Windows and anti-virus software would assume it was not malicious and let it run. There appears to be a big security gap with malicious actors able to get legitimate certificates easily.
Brand management
Norsk Hydro needs to be congratulated for its great response. It has been open with staff, the media and customers, and to see the company’s share price go up is amazing. Norsk is an Office 365 customer so that service kept running, which must have made life easier.
Spare a thought for the CEO who started the day before the attack.
Key points
This attack highlights several key issues for brokers:
- New strains of sophisticated ransomware are being developed that get through anti-virus controls
- The financial impact of the attacks is expensive
- Cyber insurance is a critical element of a company’s risk management framework, especially BI cover, which tends to be one of the largest elements of cyber claims
- Openness and transparency with the media, the public and customers are crucial to limit financial and brand reputation impacts.
About Emergence
Emergence is a pioneer of cyber cover in Australia and provides protection for SMEs through to ASX-listed entities.
Emergence has won the Insurance Business Cyber Product of the Year award in three of the last four years, including 2018, and has been nominated for its 2019 Underwriting Agency of the Year award.
You can obtain Emergence cyber quotations for clients by accessing the broker portal. Email info@emergenceinsurance.com.au if you require access to the portal.
This blog is another cyber education initiative from Emergence.
Emergence always aims to keep you informed of the latest trends in cyber attacks.