Ransomwarecritical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

LockerGoga ransomware spread across Norsk Hydro's entire global network, forcing aluminium smelters in multiple countries to switch to manual operations. The company's transparent response became a gold standard for incident communication.

Norsk Hydro·2019·2 min read

Background

Norsk Hydro is one of the world's largest aluminium producers, with 35,000 employees across 40 countries. The company's IT network connected its corporate operations with industrial control systems at its smelters and rolling mills.

The Attack

Attackers — believed to be an Eastern European criminal group — gained access to Norsk Hydro's network months before the attack, likely through a phishing email. On March 19, 2019, LockerGoga ransomware was deployed across the entire global network simultaneously. Unlike WannaCry, LockerGoga did not spread autonomously — it was manually deployed via Active Directory, suggesting prolonged network presence and deep reconnaissance.

Response

Norsk Hydro held daily press conferences livestreamed on YouTube, providing transparent updates even as they did not know the full scope of the attack. Aluminium plants switched to manual operations using paper records. The company refused to pay the ransom and rebuilt from backups over several weeks. NorCERT and various national cyber agencies assisted.

Outcome

The attack cost Norsk Hydro an estimated $71 million in the first week alone, with total costs exceeding $75 million. The company's transparent, non-payment response and decision to share technical details with the community became widely cited as best practice for ransomware incident response.

Key Takeaways

  1. Industrial control systems connected to corporate networks extend the blast radius of ransomware to physical operations
  2. Transparent public communication during a cyber incident builds trust and aids the broader security community
  3. Paying ransomware never guarantees recovery and funds future attacks
  4. Active Directory is frequently weaponised for ransomware deployment — protect it as critical infrastructure
LockerGogaindustrial control systemsActive Directorytransparencymanual operations

More in Ransomware

2017critical

WannaCry Global Ransomware Attack

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware
2019critical

Baltimore City RobbinHood: Ransomware Locks City Government for 5 Weeks

2 min readRansomware