On March 19, 2019, the computer systems Norsk Hydro ASA, a large aluminum manufacturer, started encrypting files and going offline en masse. Two hours later, someone in an operations center in Hungary realized what was happening and, according to a predefined procedure, took down the company’s website, email system, payroll, and everything else. By then, a lot of damage was already done. The ransomware had rendered useless five hundred servers and 2,700 PCs. A note asking for a ransom note was flashing on computer screens. The attack was implemented by FIN6, a Financially motivated cybercrime group from eastern Europe.
In spite of all the complex problems to be faced, Hydro never considered paying the ransom, because the attacker could have just taken the Bitcoin and disappear. Even if the description key they might provide worked — it would have sent a message that Hydro was an easy mark, leading to future attacks and more extortion.
Instead, Hydro attempted a recovery from the attack, improvising with ancient PCs, fax machines, Post-it notes, and all manner of other analog technology. As an example, customers, suppliers, employees, and investors, were informed of the attack the day after by an employee that used his personal cellphone to make a post on the Hydro Facebook page
“Hydro is currently under cyber-attack. Updates regarding the situation will be posted on Facebook.”
To recover from the lack of information about customer orders and production scheduling, Hydro employees began calling customers, asking them to text or send orders to personal email accounts. Orders were printed on paper to distribute them in production plants.
This travel back in time resulted in the huge cost of more than $60 million — way more than the $3.6 million the insurance policy has paid out so far. According to the prosecutor investigating the breach, this is still the worst cyberattack in Norway’s history.
Travels in time may become more and more popular as prosecutors are starting to sanction cyber criminals. As an example, currently, Garmin is under attack by the WastedLocker ransomware. This ransomware is operated by Russian hacking group Evil Corp that was sanctioned by the U.S. Treasury last year after one of its members was indicted by U.S. prosecutors. Hence, even if Garmin chooses to pay the ransom, it cannot do it because now it is highly illegal. Let’s hope Garmin has backups otherwise we will see another travel in time.