News & Press: National News

How a ransomware attack cost one firm £45m

Thursday, June 27, 2019  
Share |

Joe Tidy | BBC

June 25, 2019

Female Norsk Hydro worker standing in front of aluminium tubes

NORSK HYDRO - Aluminium maker Norsk Hydro refused to pay ransomware hackers - many others pay up

When malicious hackers disable your business and demand a ransom, should you pay up? Many firms do out of desperation, turning to intermediaries to help broker the deal. But law enforcement says this just makes things worse.

Imagine the excitement when hackers gained a foothold in the computer system of Norsk Hydro, a global aluminium producer.

We don't know when it was, but it's likely that once inside they spent weeks exploring this group's IT systems, probing for more weaknesses.

When they eventually launched their ransomware attack, it was devastating - 22,000 computers were hit across 170 different sites in 40 different countries.

Huge aluminium plants hit by cyber-attack
Chief information officer Jo De Vliegher reopens the ransom note that appeared on computers all over the company. It read: "Your files have been encrypted with the strongest military algorithms... without our special decoder it is impossible to restore the data."

The entire workforce - 35,000 people - had to resort to pen and paper.

Production lines shaping molten metal were switched to manual functions, in some cases long-retired workers came back in to help colleagues run things "the old fashioned way".

In many cases though, production lines simply had to stop.

Imagine the hacker's anticipation as they waited to receive a reply to their ransom note. After all, every minute counts for a modern manufacturing powerhouse. They probably thought they could name their price.

But the reply never came. The hackers were never even asked how much money they wanted. Imagine the shock.

All that work. For nothing.

It's been more than three months since Norsk Hydro was attacked and they are still many months away from making a full recovery. It's so far cost them more than £45m.

But what they've lost in productivity and revenue, they've arguably gained in reputation.

The company's response is being described as "the gold standard" by law enforcement organisations and the information security industry. Not only did they refuse to pay the hackers but they've also been completely open and transparent with the outside world about what happened to them.

But there are many other companies and organisations who make the opposite choice, and evidence is growing that ransomware hackers are increasingly being paid off secretly by victims - and their insurance companies - looking for the easy way out.

"It's become a simple business case for many organisations to pay, and at this point it's a known secret that this is happening," says Josh Zelonis, cyber-security analyst at Forrester.

Secrecy surrounds the practice because organisations are concerned about the possibility of litigation and the damage to their reputations following an attack, says Mr Zelonis.

"And a lot of the time incident response companies are being brought in to broker the transaction with the adversaries themselves in order to ensure that the payment is made and recovery is possible," he says.

Sources in the information security industry have described multiple occasions when large, well-known companies have paid out thousands of pounds - in some cases hundreds of thousands - to hackers and not told the public or even shareholders.


FCFP Sponsors