Delaware, USA – March 20, 2019 – The Norwegian company Norsk Hydro became a victim of a cyber attack and was forced to switch to manual operations. NorCERT warned the organization about attacks using LockerGoga ransomware and defined that Norsk Hydro was one of its victims. The attack began on Monday night, presumably in the United States, and spread to the company’s offices in Europe. According to NorCERT, ransomware was used along with an attack on Active Directory, and to prevent infection and file encryption in all connected offices, security department disabled the company’s global network. According to one of the company’s executives, the backups were not damaged, so the attack will not affect the execution of current orders. Also, the power plants were not affected, as they are not connected to the rest of the Norsk Hydro network. Currently, the company conducts investigation and recovery from the consequences of the attack.
LockerGoga ransomware appeared on the scene only at the beginning of this year, but it was already marked by loud incidents, including freezing operations of the Altran company. Malicious software is not sophisticated, but threat actors effectively use it along with other tools in attacks against large companies. For the timely detection of such attacks, you can use the Ransomware Hunter rule pack, as well as download a free package from the Threat Detection Marketplace to monitor Active Directory events: https://my.socprime.com/en/integrations/windows-security-monitor-hpe-arcsight