51July 27, 2020AtaroundmidnightOslotimeonMarch19,
2019, computersowned by Norsk Hydro
ASA,a largealuminum manufacturer, started
encrypting files and going offline en masse. It
took two hours before a worker at its oper-
ations center in Hungary realized what was
happening. He followed a scripted security
procedure and took the company’s entire
network offline—including its website, email
system, payroll, and everything else. By then,
a lot of damage was already done. Five hun-
dred of Hydro’s servers and 2,700 of its PCs
had been rendered useless, and a ransom note
was flashing on employees’ computer screens.
“Greetings!” the note began. “There was
a significant flaw in the security system of
your company. You should be thankful the
flaw was exploited by serious people and not
some rookies. They would have damaged all
your data by mistake or for fun.” The mes-
sage instructed recipients to write to an email
address to discuss an unspecified payment,
which would have to be made in Bitcoin;
in exchange, the hackers would provide an
encryption key to reverse the damage.
Like most other large multinationals,
Hydro had been at least aware of the pos-
sibility of attack. It had a cyber insurance
policy, and it had tested its networks with
“white hat” hackers—security consultants
who attempt to break into a system to check
its defenses. “I wouldn’t say we could keep
the NSA out,” says Chief Information Officer
Jo De Vliegher. “But we were a company with
all the normal security in place.”
It wasn’t enough. Some 35,000 employ-
ees were locked out of the company’s net-
work, and Hydro had to shut down several
manufacturing plants in Europe and the
U.S. The ones still operating had to figure
outhowtodosowithoutanycomputers.In
theend,theattackwouldcostthecompany
morethan$60million—way more than the
$3.6 million the insurance policy has paid
out so far, according to an earnings report.
It was, according to the prosecutor investi-
gating the breach, the worst cyberattack in
Norway’s history.
Despite all this, Hydro never consid-
ered paying the ransom, because the anon-
ymous hackers could have just taken their
Bitcoin and disappeared. Even if they’d pro-
vided the key—and even if the key worked—
it would have sent a message that Hydro was
an easy mark, leading to future attacks and
more extortion.Telephones
Post-It Notes
How a big manufacturer beat ransomware
attackers without paying the ransom
By William Turton
Photographs by William Mebane