As the threat of ransomware grows, companies have felt pressed to pay massive amounts to hackers holding systems hostage. One business decided not to give in to their attackers’ demands.
Cyberattacks like the recent global attack that impacted multiple companies over the Fourth of July weekend, this spring’s disruptive attack on Colonial Pipeline and 2017’s infamous WannaCry virus are only growing in frequency and cost. The last five years especially has shown a marked increase, with attackers holding information and digital architecture hostage while demanding greater and greater ransoms.
In 2021, major critical infrastructure systems have become a favorite target of hacker organizations. The early May attack on Colonial Pipeline, a major oil provider on the East Coast, not only showed how brittle corporate cybersecurity standards can be, but also that integral businesses can potentially be extorted into paying ransoms. Colonial Pipeline paid the attackers $4.4 million (with much of it recovered by the U.S. government) and the incident led to widespread gas shortages.
But if a company can be hacked once, it stands to reason that they can be hacked again.
When Norsk Hydro, a Norwegian renewable energy and aluminum manufacturing company, recently faced a ransomware attack, they handled it in a different way. They refused to pay the ransom, and took up the task of removing the virus from the equation altogether.
In March of 2019, on the day Hilde Merete Aasheim was appointed Norsk Hydro CEO, she faced a predictable day full of meetings and media interviews. The last thing she expected was a wake up call at 4 a.m. Exhausted, she answered the phone and heard what she assumed was a practical joke on the other end.
“That’s normally not when you get a phone call,” says Aasheim, who was quickly informed that day of the attack. She said her colleague on the other end of the line told her: “We are under a severe cyber attack, you have to come to work. This is not a drill.”
More from TIME
The attack against Norsk Hydro (which produces enough energy in Norway for 900,000 homes per year) affected the company’s global network of over 3,000 servers and thousands more PCs, locking everyone out and encrypting key areas of the company’s IT network.
Without the decryption key, (which the hackers may or may not provide after a ransomware payment) that data is virtually inaccessible. But even regaining access left Norsk Hydro with a compromised system, one receptive to another attack. The company decided it would not pay the ransom, instead opting to reach out to cybersecurity experts. “There was never the option to pay any ransom,” says Aasheim, who suspected the attackers would only come back for more.
Meanwhile the attack’s virus crippled the company’s network and stalled production in all of its manufacturing facilities. Norsk Hydro made the decision to shut down access to the network, and switch over to manual operation of its most critical systems, warning employees to stay off their devices. Next came shutting down the company’s own internal network to prevent propagation of the virus.
While the benefit of a downed network means easier identification of a malicious virus (as suspicious activity is more prominent), the ramifications were costly. How do you run a manufacturing company without computers, even for more than a single day? They had to figure out how to handle it for weeks.
“It was a very special situation for many weeks before we sort of had our hands around it…and could start to identify what was really compromised,” says Aasheim. Printed order forms, sticky notes on doors and black computer screens, hours of manual labor and extensive bookkeeping helped keep the most essential orders fulfilled. Norsk Hydro relied on pen and paper to track its manufacturing and finances for about three weeks until computer access could be restored, only partially, and for mission-critical work.
“We didn’t have any orders, we didn’t have anything in the computers,” says Aasheim. Manufacturing plants had to operate without computer assistance, a difficult task when making precision aluminum components and dealing with smelters that reach 960 degrees celsius.
“That’s quite a scary situation if you don’t have, let’s say, data to guide you how to operate,” says Aasheim. By asking former Hydro employees and retirees familiar with the paper-based method of manufacturing to pitch in, the production facilities were able to continue to fulfill simpler orders from clients using a combination of both expertise and the few physically printed order forms and procedures for certain parts.
In order to keep up with customer orders, some worked double shifts to reduce the turmoil for clients’ own production schedules. “We did our utmost to keep the customer out of a difficult situation,” says Aasheim. The incident cost Norsk Hydro an estimated $70 million in losses according to its earnings report later that year.
“We do some sophisticated production that can’t be done without top-notch automation, but we have, for example, emergency orders that are easier products that we know can be produced manually,” Norsk Hydro CIO Jo De Vleigher, who helped lead the recovery effort over the months following the attack. Manual production is by no means an optimal solution, but it is better than a full shutdown of the production facilities. “We can keep the machinery going, we can keep the ovens warm” says De Vliegher.
To combat the attackers, De Vliegher, along with the help of agencies including Microsoft’s cybersecurity response team and the Norwegian Norwegian National Cyber Security Centre, set up a trio of teams working to investigate the virus corruption, day to day business operations, and rebuilding the network in parallel to the current one. Unfortunately that meant inspecting the accounts of over 30,000 employees and even more service accounts for instances of malicious activity.
“They all need to be quarantined, cleaned, monitored until the existing systems have, again, a platform to start talking with each other,” says De Vliegher. Programs like the one that crippled Norsk Hydro don’t leave much of a trail, and live in a server’s memory, making it difficult to get rid of.
Essential systems, like manufacturing-specific software, had to be rebuilt over the course of about three weeks. Other systems, including the company’s user directory and cloud services (which were luckily untouched), took as long as three months to bring back online.
The incident was a paradigm shift for Norsk Hydro’s view on cybersecurity, and a chance to make some important changes to the way their cybersecurity operations are run. “I think that, first of all, cybersecurity and cyber risk has to be on the top of the strategic agenda of any company,” says Aasheim. “It only gets more and more advanced, and the attacks are out there as we speak and only get more and more complicated. There’s a whole business value chain out there in terms of how to attack a company.”
The U.S. Cybersecurity & Infrastructure Security Agency (CISA), which assists companies like Colonial Pipeline in similar ransomware incidents, says the victims of cyberattacks should not pay ransoms, as they can incite further attacks.
“Paying ransom offers no assurance that a victim organization will regain access to their data or have their stolen data returned,” says CISA official Eric Goldstein. “Also, ransomware is a criminal economy that is fueled by the payment of ransoms. And so as long as victims are paying ransom, we can expect these criminal groups to be further incentivized to conduct ongoing attacks.”
“If ransomware extrusion impacts the data stored on the business network, the U.S. government is able to offer incident response assistance and other help to victims of ransomware,” says Goldstein. “But by taking some of these fundamental best practices, the organization can significantly reduce the type of expense required to rebuild their network after it does occur.”
“I think our decision was confirmed later on because once your system is encrypted, a lot of damage has already happened along the way,” says Halvor Molland, Norsk Hydro SVP and one member of the response team. “So even if you get the encryption key [from the attackers], there’s no guarantee it will work, and you still have to fix the problems that your system has been compromised.”
Cybersecurity firm Dragos CEO Rob Lee praised Norsk Hydro’s handling of the situation. “It was just extraordinarily transparent,” says Lee. “If you’re impacting the public or the supply chain, it helps quell a lot of concerns and it’s just really a good practice.”
With thousands of computers and employees, it only takes one suspicious email opened to allow bad actors into your network. At that point, it’s less about rooting them out, but stopping them from infecting a company’s network any further. Sandboxing attachments in emails (essentially quarantining them to see if they’re malicious in nature), using AI to scan the network for unfamiliar activity, and teaching employees how to respond to suspicious activity have made Norsk Hydro a company more aware that an attack can occur at any moment.
“We’re starting to see kind of a trend where a couple of these [ransomware groups] appear to be intentionally targeting the industrial side of these infrastructure companies,” says Lee. “I think they appreciate and understand that if you lock up the operation systems, those companies are more ready to pay out, more quick to pay out, and less likely to try to negotiate it down because the cost of being down in terms of reliability, safety, business value, et cetera, is so significant.”
Despite the consequences — tens of millions of dollars in lost business — the company’s openness and frank nature when it came to discussing the ransomware attack was enough to protect its stock prices from any significant shock, and prevent further attacks on different companies using the same ransomware virus, as Norsk Hydro cooperated with cybersecurity officials in Norway.
“Actually on that day, our share price over-performed the market, which is, in theory, hard to imagine when you tell that you have been victim of Norway’s largest cyber attack,” says Halvor Molland, Norsk Hydro SVP and member of the team responsible for rebuilding the company’s network.
Can you ever be sure you’ve thoroughly removed the malware from your network, from your entire company? Can you guarantee the attackers won’t come back? “No, you can’t,” says De Vleigher.
Ransomware is a lucrative business, which means the attacks, hundreds of thousands per day, won’t stop anytime soon. With the risk to the actual hacker being so minimal (no one was arrested for the Norsk Hydro attack) while the payouts are only getting larger, it’s a constant effort to stay one step ahead. Norsk Hydro and Colonial Pipeline aren’t alone either. Right now, critical infrastructure networks are under attack on a regular basis. In 2020, the IC3 received 2,474 complaints identified as ransomware, which amounted to over $29 million in losses, and doesn’t account for losses in time, files, or equipment.
“If there’s one thing we’ve learned, it’s that if a competent hacker really wants to get into a company, they will succeed no matter what,” says De Vleigher. “It’s not like a normal virus, it’s not because we’ve been attacked and now we’re immune. We’ve put a lot of effort in crisis handling and recovery as much as in prevention, because we’re very aware it’s asymmetric warfare. We need to be perfect all the time. They just need to be lucky once, and sooner or later they might be lucky again.”