Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

3/25/2019
11:15 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Norsk Hydro: This Is How You React to a Ransomware Breach

The company's response to a massive ransomware attack is an object lesson in how to do it right.

You're the new CEO of a global manufacturing company. On your first day on the job, you hang your pictures and find the washroom.

On the second day, your worldwide IT structure gets taken out by the LockerGoga ransomware. The entire company goes down. Both back office and production systems have been affected and are unusable.

That's what happened to the new CEO of aluminum maker Norsk Hydro last week. And you thought your week was bad.

What was not bad was how the company responded. Their overall response will serve future business scholars as an example of how to do it right.

Norsk gave transparency and insight into a tough situation. They took active and proactive measures to disseminate the facts. For example, a temporary website was set up. Details of what was occurring were given via Facebook posts to both the press and staff to prevent rumor formation.

Their efforts even extended to holding daily webcasts with the most senior staff talking through what was occurring, as well as answering questions. They even took questions from webcast watchers. As a result of their efforts, their stock's price managed to go up after the incident. Investors responded positively to what they saw as real information, not conjecture.

In a press release, the company said that the root cause of the problems had been detected, a cure has been identified, and together with external partners (including national security authorities) that Hydro was working on reverting virus infected systems back to a pre-infected state.

They were not going to pay the demanded ransom.

Jo De Vliegher, head of information systems, also said in that same press release that: "Experts from Microsoft and other IT security partners have flown in to aid Hydro in taking all necessary actions in a systematic way to get business critical systems back in normal operation."

The company said production had resumed to normal levels by the week's end after the attack, except for Extruded which was at 50%. UK security researcher Kevin Beaumont said in his blog that the attack happened because the malware was not being identified by endpoint solutions rather than any missteps the company took.

Additionally, the malware was signed with a certificate that had been given to a company that reported only £1 of assets. Worse, the Certificate Authority failed to revoke the certificate in a timely manner. A revocation, by the way, may not have stopped the malware since many security tools do not retrieve the CRL and check the serial number for revocation.

Since the company uses Office365 they could still communicate with each other, the press and customers by using non-IT infrastructure like mobile phones. Because their communications had been migrated to a managed cloud service, the capability to communicate was not affected.

The upshot is that Norsk did things right, and still got hit. But they survived because they had already planned for this kind of problem by having good backups available and dealt in a straightforward and honest manner with their customers.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.