{"id":12994,"date":"2019-03-19T23:21:19","date_gmt":"2019-03-19T19:21:19","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/hydro-attacked-by-ransomware\/12994\/"},"modified":"2019-11-15T15:22:24","modified_gmt":"2019-11-15T11:22:24","slug":"hydro-attacked-by-ransomware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/hydro-attacked-by-ransomware\/12994\/","title":{"rendered":"Aluminum giant Hydro hit by ransomware"},"content":{"rendered":"

During the last several years we have described multiple incidents with ransomware targeting organizations such as hospitals<\/a>, municipal transit<\/a>, or even government computers for an entire county<\/a>. Then came the age of the wipers, with epidemics of WannaCry<\/a>, ExPetr<\/a>, and Bad Rabbit<\/a> spreading through the world and ruining operations for numerous businesses.<\/p>\n

Fortunately, we saw no events at that scale during the past 12 months, but that\u2019s not because malefactors gave up. On March 19, Norwegian aluminum production giant Hydro announced that it was hit with ransomware that affected the whole company.<\/p>\n

The attack on Hydro: What happened<\/h2>\n

Hydro\u2019s security team first noticed some unusual activity on the company\u2019s servers at midnight, the spokesperson for Hydro said during the press conference. They saw that the infection was spreading and tried to contain it. They succeeded only partially; by the time they isolated the plants, their global network was infected. Hydro didn\u2019t comment on the number of computers affected, but with 35,000 people working for the company, that number is probably rather big.<\/p>\n

Hydro\u2019s team is working 24\/7 to mitigate the incident, and they have achieved at least partial success. The power plants were not affected at all because they were isolated from the main network \u2014 which is a best practice for critical infrastructure. But the smelting plants were not isolated; during recent years they became significantly more automated than before. So some of the smelting plants located in Norway were hit, and the team managed to make some of them fully operational, although in a slower, semimanual mode. Still, as Hydro says<\/a>, \u201clack of ability to connect to the production systems caused production challenges and temporary stoppage at several plants.\u201d<\/p>\n

Despite its very large scale, the attack didn\u2019t destroy Hydro\u2019s operations completely. Although Windows machines were encrypted and rendered useless, the phones and tablets not based on Windows continued to work, which gave employees the ability to communicate and respond to business needs. The expensive critical infrastructure such as baths for aluminum production, which cost about \u20ac10 million each, do not seem to have been affected by the attack. The security incident caused no safety problems \u2014 no people were harmed because of the attack. And Hydro actually hopes that everything that was affected can be restored from backups.<\/p>\n

Analysis: Rights and wrongs<\/h3>\n

Hydro probably has a long way to go before restoring its operations completely, and even investigating the incident will take a lot more time and effort both from Hydro and from the Norwegian authorities. As of now, there is no consensus on what ransomware was used for the attack or who initiated it.<\/p>\n

The authorities say they have multiple hypotheses. One of them is that Hydro was attacked by LockerGoga ransomware, which Bleeping Computer describes<\/a> as \u201cslow\u201d (our analysts agree with that description) and \u201csloppy,\u201d adding that it makes \u201cno effort to evade detection.\u201d The ransom note didn\u2019t mention the exact sum that the malefactors wanted to decrypt the computers, but instead contained an address for the victims to contact.<\/p>\n

Although analysis of the incident is not yet complete, we can already discuss what Hydro did right and wrong both before and during the incident.<\/p>\n

Done right:<\/strong><\/p>\n

    \n
  1. The power plants were isolated from the main network, which is why they were not affected.<\/li>\n
  2. The security team managed to isolate the smelting plants rather quickly, which allowed them to continue running (most in a semimanual mode).<\/li>\n
  3. Employees could continue to communicate normally even after the incident, which means that the communication server was probably protected well enough and not affected by the infection.<\/li>\n
  4. Hydro has backups that should enable it to restore the encrypted data and continue operations.<\/li>\n
  5. Hydro has cyberinsurance that should cover some of the costs arising from the incident.<\/li>\n<\/ol>\n

    Done wrong:<\/strong><\/p>\n

      \n
    1. The network was probably not segmented properly, or else it would\u2019ve been significantly easier to stop the ransomware from spreading and contain the attack.<\/li>\n
    2. The security solution employed by Hydro was not robust enough to catch the ransomware (despite being relatively new, LockerGoga is well known, for example, to Kaspersky Security<\/a> as Trojan-Ransom.Win32.Crypgen.afbf).<\/li>\n
    3. The security solution could\u2019ve been complemented with antiransomware software such as our free Kaspersky Anti-Ransomware Tool<\/a>, which can be installed alongside other security solutions and is capable of protecting the system from all kinds of ransomware, miners, and some other nasties.<\/li>\n<\/ol>\n\n","protected":false},"excerpt":{"rendered":"

      Industrial Norwegian giant Hydro hit by ransomware \u2014 security incident analysis.<\/p>\n","protected":false},"author":675,"featured_media":12995,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[724,1201,433],"class_list":{"0":"post-12994","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-critical-infrastructure","10":"tag-cryptors","11":"tag-ransomware"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/hydro-attacked-by-ransomware\/12994\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/hydro-attacked-by-ransomware\/15429\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/hydro-attacked-by-ransomware\/17373\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/hydro-attacked-by-ransomware\/15522\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/hydro-attacked-by-ransomware\/14211\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/hydro-attacked-by-ransomware\/18059\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/hydro-attacked-by-ransomware\/17052\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/hydro-attacked-by-ransomware\/22421\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/hydro-attacked-by-ransomware\/5803\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hydro-attacked-by-ransomware\/26028\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/hydro-attacked-by-ransomware\/11536\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/hydro-attacked-by-ransomware\/11603\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/hydro-attacked-by-ransomware\/10489\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/hydro-attacked-by-ransomware\/18804\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/hydro-attacked-by-ransomware\/22817\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/hydro-attacked-by-ransomware\/23880\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/hydro-attacked-by-ransomware\/18119\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hydro-attacked-by-ransomware\/22304\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hydro-attacked-by-ransomware\/22236\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/ransomware\/","name":"ransomware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12994"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12994\/revisions"}],"predecessor-version":[{"id":14485,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12994\/revisions\/14485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12995"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}