Ransomware Attack Costs Norsk Hydro $40m

Large Norwegian manufacturing firm Norsk Hydro has admitted it has lost more than $40m, in the week following a devastating ransomware attack.

Norsk is one of the world’s largest producers of aluminium, and the attack crippled many of its systems, including its main website, which forced it to use Facebook to provide updates to the world.

Indeed, the attack was so bad that Hydro’s staff around the world had to use mobile phones and tablets to access email, and at some factories workers had to use printed order lists. The attack also reportedly took Hydro’s main smelting plants offline at some locations,

Long recovery

Now Norsk admits that a full recovery of its IT infrastructure and control systemswill likely take weeks or more.

The firm also said that while its primary metals business and most other units were able to carry on production, utilising workarounds and manual solutions. But apparently one of its main production units has struggled to recover, company executives were quoted by Reuters as telling a news conference on Tuesday.

The firm has said that on a preliminary basis, the financial impact of the attack during the first week was estimated at between 300 million and 350 million Norwegian crowns ($35 million-$41 million).

Besides being an aluminium producer, Hydro also runs power stations and other divisions. It employs more than 35,000 people in 40 countries.

“Hydro has a solid cyber risk insurance policy with recognized insurers, with global insurer AIG as lead,” the company reportedly said.

“The insurance has a ceiling,” CFO Eivind Kallevik told the news conference, but he declined to reveal the insurance policy cap.

“In the most affected business area, Extruded Solutions, production is now at 70-80 percent, except for the Building Systems business unit, where operations remain almost at a standstill,” Hydro reportedly said.

The good news is that Hydro has publicly stated it will not pay hackers to unlock its files. It instead wants to restore systems from backup servers.

“The company has now entered the recovery phase following the attack, gradually restoring IT systems in a safe and secure manner to ensure progress toward normal business while limiting the impact for people, operations, customers, suppliers and other partners,” Hydro reportedly said in a statement.

The recovery is expected to take “weeks or longer”.

Insurance payouts

The security industry said this example showed how devastating ransomware attacks could be, and also what money insurance companies would be prepapred to pay out for such an attack.

“I think it may be just a tip of the iceberg,” explained High-Tech Bridge’s CEO Ilia Kolochenko. “In addition to the direct losses, we have to consider loss of business opportunities and reputational damage, increase of insurance premiums and many other indirect but palpable costs.”

“Worse, this type of damage may last many years, undermining overall competitive advantage on the global market,” Kolochenko added. “Cybersecurity has become a major issue for all types of companies, even a relatively short weekly shutdown may cause irrecoverable financial injury today.”

Another expert pointed out that these attacks could result in conflict with insurance companies, disputing the costs involved.

“We’ve been closely monitoring the Norsk Hydro ransomware attack, and one thing to note in terms of being able to recover the costs of the attack from a cyber insurer is that this can be far from guaranteed, even with a solid cyber insurance policy,” said Oleg Kolesnikov VP of Threat Research and head of Securonix Research Labs at Securonix.

“To illustrate, in case of the Mondelez’s NotPetya cyberattack that reportedly resulted in over $100m in damages that was in many ways similar to the Norsk Hydro LockerGoga ransomware attack, the claim was being disputed by the Mondelez’s cybersecurity insurer Zurich citing the so called ‘war exclusion’ in the policy language for hostile acts by sovereign actors,” warned Kolesnikov.

“While the cost of the Norsk Hydro attack is significantly lower, at roughly $35-41m, recovering the costs of the cyberattack even with reputable cybersecurity insurers can be non-trivial,” said Kolesnikov.

The issue of insurance was also picked up by another security expert.

“The Norsk Hydro case highlights the issue of cybersecurity risk to the forefront of all organisations,” said Deborah Chang, VP of business development and policy at HackerOne.

“No matter what the outcome of this claim is, it is clear that the team responsible for the purchase of an insurance policy must now be hyperaware of cybersecurity risk,” said Chang. “Specifically, how a cybersecurity breach or cyberattack, even if it is not as public and not as large as the one that targeted Norsk Hydro , will be covered under a policy, what tools are in place to prevent loss from bad actors, what the threats are, how vulnerabilities are mediated, where the threats could be and most importantly, what tools need to be in place to prevent the breach.”

“Insurers like AIG are most likely invested in encouraging or requiring post breach cybersecurity practices that can limit the extent of the breach as much as possible and ensure a company is as secure as it possibly can be,” she added. “ The question that will most likely be asked is how AIG and other insurers do this post-breach, and pre-breach, when the insurance buyer or risk team doesn’t necessarily have the influence or ability to collaborate with the security team.”

Do you know all about security? Try our quiz!