Full Report
On March 19 2019 Norsk Hydro, one of the world’s largest aluminum producers revealed that ransomware had been used in an attack against them.
Analysis Summary
This summary is based **only** on the limited context provided, which confirms the incident but lacks the detailed technical and chronological data usually found in a comprehensive report. Therefore, many fields below will be marked as "Not specified in source context."
# Incident Report: Norsk Hydro Ransomware Attack (March 2019)
## Executive Summary
On March 19, 2019, Norsk Hydro, a major global aluminum producer, suffered a significant ransomware attack. While the exact initial infection vector and full scope were not detailed in the provided context, the attack resulted in widespread operational disruption requiring manual intervention. The company undertook swift response actions to contain the malware and restore critical systems.
## Incident Details
- Discovery Date: Not specified in source context.
- Incident Date: On or around March 19, 2019 (date of disclosure).
- Affected Organization: Norsk Hydro
- Sector: Metallurgy / Aluminum Production
- Geography: Not specified in source context (Global operations implied).
## Timeline of Events
### Initial Access
- Date/Time: Not specified in source context.
- Vector: Ransomware (Type not specified in source context).
- Details: Not specified in source context.
### Lateral Movement
- Not specified in source context.
### Data Exfiltration/Impact
- Impact: Implied system encryption causing operational disruption.
- Exfiltration: Not specified in source context.
### Detection & Response
- How it was discovered: Not specified in source context (implied by the company revealing the incident).
- Response actions taken: Response and recovery operations initiated immediately upon detection.
## Attack Methodology
*Note: Specific TTPs utilized by the ransomware are not detailed in the source context provided.*
- Initial Access: Ransomware deployment.
- Persistence: Not specified in source context.
- Privilege Escalation: Not specified in source context.
- Defense Evasion: Not specified in source context.
- Credential Access: Not specified in source context.
- Discovery: Not specified in source context.
- Lateral Movement: Not specified in source context.
- Collection: Not specified in source context.
- Exfiltration: Not specified in source context.
- Impact: Encryption of systems, leading to operational disruption.
## Impact Assessment
- Financial: Not specified in source context (Reportedly costly operations stoppage).
- Data Breach: Not specified in source context.
- Operational: Significant business disruption requiring manual processes across production sites.
- Reputational: High-profile international incident affecting a major industrial player.
## Indicators of Compromise
- Network indicators: None provided.
- File indicators: None provided.
- Behavioral indicators: Ransomware encryption activity.
## Response Actions
- Containment measures: Implemented immediately to stop malware spread.
- Eradication steps: Execution of cleanup and secure restoration protocols.
- Recovery actions: Restoring operations, reportedly using backups rather than paying the ransom.
## Lessons Learned
- Lessons learned: Not explicitly detailed in source context.
- What could have been done better: Not explicitly detailed in source context.
## Recommendations
- Prevention measures for similar incidents: Enhanced endpoint detection and response; increased network segmentation; rigorous backup and recovery testing for critical operational technology (OT) and IT environments.