Skip to main content
Top Button
Resiliency Under Fire: Ransomware Attacks Resiliency Under Fire: Ransomware Attacks

Resiliency Under Fire: Ransomware Attacks

Ransomware continues to inflict serious business interruption risks and damages, despite being among the easier threats for many companies to detect and remediate. A good example is the LockerGoga series of attacks based on ransomware that targets the systems of industrial firms. Hackers used LockerGoga in March to attack the network of Norsk Hydro, a Norwegian aluminum company that is the second-largest employer in Norway with global operations. Fortunately, Hydro may have been able to limit the impact of a potentially crippling attack because it had in place an effective incident response approach.

According to public information, alert assembly line employees working the night shift at a Hydro plant noticed some anomalies in their systems and notified their IT department. The production line immediately moved into backup mode – a response that may have been facilitated in part by the traditional “stop work” safety protocol commonly employed on production lines.

The company’s operations reportedly then shifted to its incident response plan, which in this case disabled some of the automated smelting operations and switched to manual operations while the company worked to repair the damage. Managers at local factories operated from pre-printed lists of orders to continue operations while the systems were down. Hydro’s experience reinforces the merits of having back-up procedures for keeping essential systems operational.

Hydro was also able to continue communicating internally because it had migrated its email systems to a cloud-based approach, which provided the company with the ability to continue using smartphones and tablets during the attack, a marked contrast to the experience of several large companies hit by the NotPetya attacks in 2017 or the experience of Sony when it was targeted by North Korean hackers.

Moreover, Hydro quickly involved law enforcement and brought in international experts. Further, the company publicly announced that it would not pay the ransom and was moving to restore affected systems from backups. In their ransom note, the hackers threatened to destroy the encrypted data unless the company paid them a ransom in Bitcoins, “depend[ing] on how fast you contact us.” Subsequently, the company disclosed it had incurred a cost of around $52 million, while acknowledging that the damage could have been far worse, given the size of the company and the amount of revenue produced daily by its operations. In addition, Hydro revealed that its robust cyber insurance policy would cover much, if not all, of the cost of the attack. As a relative measure, the NotPetya attacks in 2017 that hit several large public companies triggered business losses in the range of $300 million each for at least 3 companies.

LockerGoga utilizes a uniquely disruptive hacking approach, which shuts down computers entirely and locks out its users, making it difficult for victims to pay the required ransom, since they cannot even return to the system to view the ransom note. This is markedly different from typical ransomware, which encrypts some files on a machine but otherwise leaves it running. Since industrial firms generally have strong incentives to get up and running quickly, this chaotic disruption is crippling, costing the companies huge sums of money.

Investigators are uncertain how the ransomware infiltrated Hydro’s systems, though possibilities include stolen remote desktop credentials, phishing and attacking software that lacks critical security patches. Unlike other ransomware strains, LockerGoga does not have the capability to traverse a network laterally on its own, but most likely relies on hooking into Active Directory, a very traditional approach to internal network movement.

Security experts credit Hydro’s incident response plan with the company’s quick recovery from the attack. Moreover, Hydro’s transparency throughout the attack has drawn praise, including its daily webcasts and social media posts, along with a YouTube video keeping business partners and the media informed. Cybersecurity expert Kevin Beaumont called Hydro’s incident response plan “the best I have ever seen” and “a textbook example of how incident response should be done.”

Since the Hydro attack, LockerGoga continues to surface in other attacks, including against the networks of two U.S. chemical firms, leaving employees locked out of their computers and forcing the companies to procure hundreds of new computers. Companies should not only have a well-practiced response plan and team in place, but most importantly should ensure their backups are isolated from their main networks and are frequently tested to ensure they will work when needed. Too often, backups are found to be unreliable and incapable of restoring an impacted system – often only after an attack has destroyed the main systems.

For guidance on responding to data breaches to minimize the risk of litigation and handling such litigation if it occurs, please contact Guillermo Christensen or Martha Kohlstrand. Guillermo Christensen is a partner in Ice Miller’s Data Security and Privacy and White Collar Defense Groups who combines his experience as an attorney, a former CIA intelligence officer and a diplomat with the U.S. Department of State to shape and inform the advice he provides to clients on various enterprise risks involving cybersecurity and national security law. Martha Kohlstrand is an associate in Ice Miller’s Data Security and Privacy and Litigation Groups, who focuses her work on data security and related litigation matters.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized