Norwegian metals and energy giant Norsk Hydro, one of the world’s biggest aluminum producers, has been hit by a ransomware attack that has impacted operations, forcing the company to resort to manual processes.
In a press conference on Tuesday, Norsk Hydro representatives revealed that the attack, which they described as extensive, started on Monday at around midnight, Norway time, when the company’s security team noticed some unusual activity on its global network. They said the ransomware is designed to encrypt files, but they have yet to determine exactly which malware family it belongs to.
Norway’s national CERT, NorCERT, reported that the attack was powered by a relatively new piece of ransomware named LockerGoga and that it may have also involved an attack on the company’s Active Directory system. NorCERT has warned other Norwegian companies about the attack.
LockerGoga is believed to have been used earlier this year in an attack aimed at French engineering consultancy Altran Technologies.
The Norwegian National Security Authority, whose representatives took part in the Norsk Hydro press conference, said the ransomware could be LockerGoga, but they are currently looking at several possible culprits.
MalwareHunterTeam researchers reported seeing a LockerGoga sample being uploaded to VirusTotal from Norway on Tuesday and they believe it’s “probably” the one used in the Hydro attack.
Adam Meyers, VP of Intelligence at CrowdStrike, also reported that a new sample of LockerGoga was recently uploaded to a public malware repository.
“While details of the Norsk Hydro incident are still developing, CrowdStrike Intelligence has been able to identify a new sample of the LockerGoga ransomware that was uploaded to a public malware repository in two ZIP files from an IP address based in Oslo, Norway,” Meyers said.
Norsk Hydro says it has recent backups that should help it restore encrypted files without the need to pay the ransom demanded by the attackers. The ransom amount has not been specified.
The ransom note typically dropped by LockerGoga does not specify any amount and instead instructs victims to contact the attackers via email for information on the price of the file decryption tool.