£60 million in recovery costs for Norsk Hydro after refusing ransom demand

Earlier this month, Norsk Hydro published its first quarterly report since it fell victim to a devastating ransomware attack in March.

Profits fell by 82%, but that’s a much better result than many were expecting. The malware tore through the aluminium producer, with productivity grinding to a halt at all 171 of the organisation’s sites.

For a few hundred thousand pounds, Norsk Hydro could have bought a decryptor from the blackmailers and restored its systems. But the organisation refused to pay up.

You might be wondering why, given that the decision has so far cost Norsk Hydro an estimated 650 million Norwegian crowns (about £60 million). But that’s a small price to pay for the moral victory of playing hardball with criminal hackers.

How the incident occurred

On 19 March 2019, Norsk Hydro’s systems were infected with the LockerGoga ransomware.

TrendMicro’s analysis into the ransomware found that it was the same system administration tool abused by the likes of SOREBRECT and Bad Rabbit. This means there’s a chance that the network was compromised before the attackers planted the ransomware.

Employees were left to file paperwork manually and share documents via fax machines. The BBC reported that “There were people from sales who were drafted in to do production line work. There were people from finance making sandwiches for the team. Everything in the company was turned upside down.”

Meanwhile, senior executives had a tough decision to make. The ransomware was accompanied by a note: “Your files are encrypted with the strongest military algorithms. Without our special decoder it is impossible to restore the data.”

To access the decoder, the organisation was asked to pay a large ransomin bitcoin.

Cyber security experts and governments urge victims to never pay the ransom. This is partly for your own protection – after all, you can’t trust a fraudster to keep their word and hand over the decryption key once the payment has been made.

Likewise, paying one ransom makes you a soft target for future attacks; if you’ve paid once, there’s a good chance you’ll do so again.

There is also a moral imperative not to pay the ransom. Payments will probably fund attacks on other organisations and show that cyber crime is a lucrative business.

Backups are the key to survival

It can be hard to take a moral stance against ransomware when doing so will cripple your organisation. Delays of even a few days can be enough to cause irreparable damage for some businesses, which is why they often feel compelled to pay the ransom.

You can certainly understand the desire for a short-term fix when, say, a local government’s systems are frozen and essential services are brought to a halt.

But organisations wouldn’t find themselves in that position if they had a backup plan. Literally. Norsk Hydro’s CEO, Eivind Kallevik, announced that the company would be able to recover quickly because it had recently backed up its systems.

Backups enable organisations to wipe the infected systems and restore a previous version. This can take anywhere from a few hours to a few days, but if you act quickly, the delays won’t be any longer than if you were waiting for your filed to be decrypted.

Mitigating the financial effects of ransomware

If you’re worried about the costs Norsk Hydro incurred by refusing to negotiate with the crooks, remember that it is a massive company. It had to shut down 40 networks and 22,000 computers before wiping the systems.

Most organisations will have a less extensive recovery process, so the delays will be shorter and the costs will be lower, as they are relative to the size of your organisation.

Another way to lessen the burden of recovering from a ransomware attack is to purchase cyber insurance. Depending on the policy, the organisation will receive a financial payout to help cover the costs associated with the response effort.

Norsk Hydro confirmed that it had a cyber insurance policy, and although it hasn’t said how much it will receive, it did state that payments could start appearing in the results of the third quarter.

The payout obviously won’t solve all of the company’s problems – and overworked employees might consider the payment a case of locking the stable door after the horse has bolted.

However, the promise of renumeration stabilises the organisation’s financial outlook. Amid falling profits, bosses are often forced to cut costs and lay off staff, but a repayment package means that such measures are less likely.

Preventing ransomware attacks

You can never be fully protected against ransomware, because there are so many ways criminals can infect your organisation. That’s true with all forms of cyber attack, which is why experts regularly remind organisations that security breaches are a matter of ‘when, not if’.

That said, there are a few ways to mitigate the risk. First, as we’ve already discussed, you should regularly back up important files. This puts you in a position to ignore ransom demands and get back to work after a short delay.

Second, you should boost staff awareness of ransomware. Many attacks are caused by phishing emails that contain infected attachments. If you teach your staff how to spot malicious emails, you can avoid all manner of threats, including ransomware.

Teach your staff about ransomware

Our Phishing and Ransomware – Human patch e-learning course teaches your staff everything they need to know about ransomware.

This ten-minute course introduces employees to the associated risks and describes the link between phishing and ransomware. Armed with this knowledge, your staff will be better equipped to detect suspicious emails and know how to respond.

Find out more >>