Norsk Hydro ransomware losses estimated at $40m

Norsk Hydro claims it has entered the recovery stage despite predicting $40 million loss

Norwegian industrial giant Norsk Hydro has estimated the cost of last week's ransomware attack at $40 million.

The attack affected operations across the aluminium smelting company's entire business, resulting in production being halted and the firm forced to revert to manual processes.

In an update dated March 26, the company said it had entered the recovery stage with most operations running as normal. However, operations remain at a "standstill" in its building systems unit.

Hydro went on to say it is "gradually restoring IT systems in a safe and secure manner to ensure progress toward normal business" and is limiting the impact for people, operations, customers, suppliers and other partners".

Since reporting the cyber attack to Norway's National Investigation Service, Norsk Hydro has also provided the first glimpse into the impact of the attack.

"Based on a high-level evaluation, the preliminary estimated financial impact for the first full week following the cyber attack is around 300-350 million Norwegian Krona ($40 million), the majority stemming from lost margins and volumes in the Extruded Solutions business area," it said in a statement.

"Hydro has a solid cyber risk insurance policy with recognized insurers, with global insurer AIG as lead."

However, with the number and scale of cyber attacks continuing to rise it remains to be seen whether the insurers will pay up in full, in part or dispute the claim.

Oleg Kolesnikov, vice president of threat research at Securonix, said: "We've been closely monitoring the Norsk Hydro ransomware attack, and one thing to note in terms of being able to recover the costs of the attack from a cyber insurer is that this can be far from guaranteed, even with a solid cyber insurance policy.

"To illustrate, in case of the Mondelez's NotPetya cyberattack that reportedly resulted in over $100 million in damages that was in many ways similar to the Norsk Hydro LockerGoga ransomware attack, the claim is being disputed by Mondelez's cyber security insurer Zurich, citing the so called "war exclusion" in the policy language for hostile acts by sovereign actors.

"While the cost of the Norsk Hydro attack is significantly lower, at roughly $35-41 million, recovering the costs of the cyber attack even with reputable cybersecurity insurers can be non-trivial."

It is believed that Hydro was affected by the LockerGoga ransomware, which encrypts files with extensions such as doc, dot, wbk, docx, dotx, docb, xlm, xlsx, xltx, xlsb, xlw, ppt, pot, pps, pptx, potx, ppsx, sldx and pdf.

According to Nozomi Networks Labs, the malware "encrypts the files with the targeted extension and soon after drops the ransom note inside the filesystem".

The user is then provided with "steps he/she must take in order to get the files back", which is typical in most ransomware attacks.

Kolesnikov added: "Fortunately, NotPetya had a number of differences from LockerGoga, particularly in that, as UK officials believed, a nation-state-level malicious threat actor was involved with NotPetya, and the purpose of the NotPetya attack was more along the lines of cyber sabotage [rather] than a classic ransomware attack.

"In contrast, LockerGaga looks much more like a traditional ransomware attack than a nation-state-sponsored malicious breach, so this is something that Norsk Hydro might be looking into further once they are able to fully restore their normal business operations."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.