Norsk Hydro – A Ransomware Case Study

Norsk Hydro, the Norwegian aluminium manufacturer were hit by a ransomware attack in March 2019. The company is one of the largest aluminium producers of its kind with smelting plants and factories in 40 countries being managed by their 35,000 employees.

The ransomware attack impacted on their production in Europe and the US which resulted in the company having to revert to manual operations to manage their industrial control systems albeit on a much slower basis than normal whilst they battled against the ransomware attack.

Parts of the business were however still operational which allowed a degree of production to still be maintained.The stoppage of the primary metal and rolled products had some operation impact from a business interruption perspective.

The CFO announced that the ransom bitcoin demand had and will not be paid as they attempted to restore the company’s software and preserve their data.

The cause of the cyber attack was as a result of an employee opening an infected e-mail from what was thought to be a trusted customer which allowed the hackers to gain access to their IT infrastructure and put in place the ransomware virus.This was an example of an Advanced Persistent Threat (APT).

The type of ransomware is thought to have been LockerGoga which enables hackers to encrypt computer files very quickly which are then locked with a ransom demand then being made to release them. The hackers also threatened to increase the ransom should their be any be any delays in paying to add further pressure to the situation.

Norsk Hydro made three quick decisions which helped mitigate the attack:-

  • The CFO announced that the ransom bitcoin demand had and will not be paid.
  • Microsofts cybersecurity team ( Detection and Response Team know as DART)  were engaged to help restore the operation.
  • Norsk Hydro were very transparent about the attack and hosted daily webcasts and press conferences providing updates on the attack which does not normally occur.

A special team was build up in the coming weeks which helped the business re over and reconstitute its business operations . This helped remove the threat posed by the hackers and to understand the mechanism of the ransomware attack.

Norsk Hydro shared a video of how they dealt with the ransomware attack in their Toulouse plant.

https://securityboulevard.com/2019/04/norsk-hydro-shares-a-4-minute-video-on-how-its-employees-stood-up-for-the-firm-post-an-extensive-cyberattack/

The financial impact of the ransomware attack is through to be in the region of $70- 80M. NorskHydro also purchased a cyber insurance policy which is believed to date to have paid out $33M.

Image : Shutterstock

Ransomware Is Still A Major Threat

Ransomware

Ransomware still remains one of the main methods that hackers utilise to carry out cyber attacks on businesses.

New strains of viruses are emerging all the time one such type is Sodinokibi which is only three months old but has had a significant impact already. It is also know as Sodin and REvil and connected to a previous form of ransomware called GrandCrab.

It is beloved that the average ransom demand for Sodinokibi in May was $150,000 against $50,ooo for other forms of ransomware. The largest recorded to date is $500,000.

Furthermore according to a report by Coveware, an incident response company the average downtime from a ransomware attack during the first part of this year has increased from 7.3 days 9.6 days which is believed to be due to the impact of this new ransomware.

The use of  Sodinokibi is also on the increase so much that it now accounts for 12.50% of the overall market.

Attack Methods

Sodinokibi is a ransomware-as-service (RaaS) and is used to attack both businesses and consumers and use various attack methods that include the following:-

  • Acting as malicious spam
  • Phishing attacks
  • Malvertising
  • Exploitation  of vulnerabilities in Oracle

The Signs of this Ransomware Infection

The normal signs of a ransomware attack are displayed when a computer system has been compromised by Sodinokibi this being changes in the desktop wallpaper and the announcement of the attack by way of a ransom note.

https://www.zdnet.com/article/sodinokibi-ransomware-is-now-using-a-former-windows-zero-day/

How it Happens

Files are encrypted on local drives by an encryption algorithm renaming all files with a pre-generated pseudo- random alpha- numeric extension that can be up to eight characters in length. This type of ransomware appears to target files which are mainly media related.

It also has been found to delete shadow copies of back-up and disables the Windows Startup Repair tool which prevents users from fixing any system errors relating to the ransomware attack.

Sodinokibi is unique in that it does latch on to zero-day vulnerabilities and and allow a Sodinokibi ransomware attacker access to endpoints that it infects replicating tasks that administrators would normally carry out.

How to Try and Prevent an Attack

Creation of back-ups of data on an external drive or on the cloud

Ensure that updates are run on all computer systems and appropriate patching is carried out.

Reinforce training of staff so that they are aware of possible phishing attacks that might carry this ransomware.

Restrict the use administrative tools to the IT team

Disable macro on Microsoft Office products

Cyber Insurance

The purchase of cyber insurance can help manage and mitigate the impact of these form of attack. This type of policy will provide coverage for the investigation costs of such an attack, the cost of negotiating with the hackers and if need be the actual ransom itself.

Image : Shutterstock

The Six Major Cyber Risks of 2019

Cyber Risks

What are the six major cyber risks of 2019 that businesses will need to guard against in the perpetual war against cyber criminals.

The cyberthreat landscape is constantly changing with hackers using ever more sophisticated means to gain unauthorised access to computer systems.This coupled with some of the more established tools utilised by hackers produces a cocktail of cyber attacks vectors that provide the ultimate test to cyber risk management of a busines.

Cyber risks come in many shapes and forms and it is likely that we will see the following featuring throughout the world in the coming days and months.

Supply Chain Vulnerbilities

This is proving to be a very real vulnerability with businesses heavily reliant on their suppliers and contractors for services whether this be for the provision of technology services that are fundamental to the effective functioning of the business.

If one of the suppliers systems are compromised this is likely to result if a significant businesses interruption loss where income will be lost and reputation damaged.

http://cyberbrokers.co.uk/how-secure-is-your-supply-chain/

Mobile Applications

We are are all reliant on our smart phones and laptops and end to end encryption of these is therefore of paramount importance. Confidential information and personal data is in abundance on these devices and a hacker will no doubt target such devices that do not have the appropriate security in place.

With the emergence of 5G this it will become increasingly harder to protect mobile applications.

Phishing Attacks

These are well established methods that hackers use to overcome human vulnerabilities.

This is carried out by e-mail compromise where uses click on a link that leads to malware being spread resulting in crippling the computer system or falsely changing a clients bank details to one set up by a hacker which leads to a loss of funds.

Ransomware Attacks

There have been a number of high profile ransomware attacks namely WannaCry and Non-Petya that impacted many countries around the world. Business affected by these include WPP, Maerck and the National Health Serice in the U.K.

A ransomware attack can be very cleverly disguised with many means available to gain access to a computer network. Over the past twelve months ransomware attacks have declined but they still remain a very real threat with different strains of malware emerging. This will only increase and make detection harder awareness of new methods and defense of these will therefore be vitally important to mitigate this on-going threat.

The Morrison’s Effect

As a result of a Morrison’s employee stealing salary details and distributing these to a number of newspapers Morrisons were sued for damages by a number of the affected individuals.

As a result of this it was found after appeal that Morrison’s were vicariously liable for the employees’ actions. The court also stated that the affected individuals could claim for financial loss and emotional distress. It is therefore conceivable that this could open the flood gates for class actions against other such businesses in similar circumstances.

https://www.bbc.co.uk/news/business-45943735

Artificial Intelligence and Internet of Things

Artificial Intelligence (AI) is now developing at an alarming pace as businesses recognized the benefits that machine learning can bring such as increased efficiency in manufacturing and data analysis. this however brings increased cyber risks. It is possible for inter-connectivity to take place which leads to communication with other devices called the Internet of Things (IOT) the result of which can lead to a compromise of systems , loss of data or even physical damage.

Cyber attacks backed by AI would be far greater than a conventional human lead cyber attack causing more damage for longer periods. This is a new emerging cyber threat but it could be one of the most dangerous and damaging as cyber security has not kept pace with the ensuing risks.

Cyber attacks will undoubtably become more sophisticated with the cyber risk landscape becoming more unpredictable and difficult to assess the threat vectors that develop.

Image : Shutterstock

How Secure Is Your Supply Chain?

Supply Chain

Many businesses are now reliant on third parties in order to function and to provide their goods or services. These third parties are likely to form a supply chain providing such capabilities as IT services, HR outsourcing and hosting services.

The calibre of these services can vary greatly be they a large conglomerate to small local business. Each suppler will have they own cyber security processes and procedures that should be embedded within the business….. but in practice is this the case and what is the impact on a business if they suffer a cyber security breach?

With reliance now placed on a supply chain it is important that due diligence is carried to ensure that this resilience is in place.

What sort of processes can be carried out in order to provide some assurances?

  • Regular cyber security audits of third party vendors
  • Prioritization of vendors for critical services
  • Review of data monitoring standards of third parties
  • Ensure own security procedures remain at a high standard enforcing regular patching and installation of latest firewalls.
  • Managing of privileges provided outside of the business
  • Robust procurement processes for new vendors
  • Management of contractual liability with the vendor in the event of a possible data breach
  • Due diligence of cloud service providers
  • Insurance checklist for professional indemnity and or cyber insurance by the vendor
  • Review interconnected devices to managed The Internet of Things ( IoT) exposures

The supply chain of a business can be their weakest link and managing this should be given the same level of attention as the internal cyber risks that exist.

The National Cyber Security Center publish a list of some of the risks that businesses should look out for :-

https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Cyber-security-risks-in-the-supply-chain.pdf

The consequences of a third party suffering a compromise of their computer systems could lead to  the following:-

1.Business Interruption

2. Reputational Damage

3.Regulatory Actions and Fines

4.Loss of customers

5.Costs incurred to the business to rectify loss of data or damage to computer systems

6.There have been a number of high profile data breaches where losses have emanated from the supply chain :-

Target

In December 2003 hackers gained access to the heating and ventilation system of the retailer Target. As a result of network credentials being stolen from a mechanical services engineer the hackers were then able to gain access to credit and debit card data of customers. The cost of the breach is thought to be close to $300M with 100 million individuals being affected and the CIO of Target resigning soon after the breach.

Stuxnet

This was a malicious computer worm that targeted automated processes utilized to control machinery on factory assembly lines and systems within the nuclear industry.

It was introduced into a supply network via an infected USB flash drive by individuals that had access to the system It was then possible for the worm to move across the network which scans software that controls machinery and n influence the commands that were given.

NonPetya

Last year NonPetya was a malicious code aimed at software supply chains. The targets were outdated and unpatched Windows systems utilizing the EternalBlue vulnerability which hit many global businesses such as WPP DLAPiper and Maersk.

The hackers initially breached a financial services company in the name of MeDoc which was a third party software service readily utilized by goverments. Once access had been obtained they were able to install malware on their software which was then distributed to end users when the latest update was downloaded.

A report earlier this year by Symantec reported that there had been a 200% increase over the last 12 months in hackers injecting malware implants into the supply chain to gain access to the organizations computer systems.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Perhaps one of the keys to ensuring that a supply chain is secure is to try and enforce the supply chain to have in place similar robust cyber security procedures and practices to the business in order to manage the evolving cyber risk landscape that exists.

 

Image : Shutterstock

Will Ransomware Attacks Increase Under GDPR?

Ransomware

Business in the UK suffer on average 38 ransomware attacks a day and it is likely that we will see a significant increase in this when GDPR comes into force on 25th May this year.

According to cyber security product developer Sonic Wall there are over 2,500 different know variants of ransomware hitting UK businesses which makes the task of managing these attacks becoming a formidable job to combat. One of the current trends of cyber attacks carried out by hackers was is that their targets appeared to be that of data with ransomware being an ideal method of disrupting businesses by corrupting their data, stealing it or perhaps holding them to ransom.

This form of cyber attack on a business is perhaps one of the most difficult to handle due to its unpredictable nature and the impact that it can have on a business leaving it paralyzed to operate. It is also normally time limited which adds the factor of stress to the business owners with  the imminent threat of data being destroyed if the ransom is not paid within a specific deadline.

With GDPR there is added factor of a business being fined by the Information Commissioners Office (ICO) if data is compromised.The fines that could be imposed by the ICO are between 2 and 4% of global turnover depending on how the degree of the data breach. Uber would be an example of where the ICO could have imposed a heavy fine. Hackers held Uber to £750,000 ransom with the threat of releasing the data of 57 million customers. Uber would have been in the position of breaching GDPR rules on two occasions for the initial cyber attack and the fact that it was not disclosed as all data breaches will need to be advised to the ICO within 72 hours. It will be interesting to see how the ICO approach the question of fines and to what degree they are likely to impose the maximum fine threshold.

The paying of a ransom is am easy option to pacify alleviate a cyber attack but this could only be a short term solution as the hacker could return perceiving the business to be an easy target. There is  also no guarantee that the files containing the data will be released and will remain encrypted with the business still unable to access the data.

Cyber insurance can help with ransomware attacks , in paying the actual ransom and the costs associated with negotiating with the hackers. The policy would also provide coverage for the forensic and IT costs to investigate a possible sideways attacks by the hackers into computer systems. A data breach will need to be managed and this specialist form of insurance provides incident response services backed by a panel of experienced vendors.

Ransomware attacks will undoubtedly increase once GDPR comes into force and businesses will need to improve their cyber risk management in order to avoid the wrath of the ICO and the damage to their reputation that a severe data breach may cause.

Image : Shutterstock

Ransomware : The Modern Day “Stand and Deliver”

Ransomware

Ransomware : It you didn’t know what ransomware was a few weeks ago….. it is almost certain that you do now in the wake of the WannaCry cyber attack that occurred earlier this month.

What is Ransomware? 

This is a form of malicious software that is designed to block access to a computer system until a sum of money is paid. It is not possible to use the data and in some cases the hackers threatens to publish the data until a ransom is paid, there is of course no guarantee that once the ransom has been paid that the encryption code will be provided or if the hacker will still delete the data. If the ransom is paid it is possible that the hacker will return to carry out a further attack.

This form of malware effectively employs scare tactics not unlike that which have been seen in the days of a highway man in Victorian times who would hold a coach of unsuspecting passengers at gunpoint until they had handed over a ransom representing their wealth. Ransomware can be compared to the modern day “stand and deliver” threats that a highwayman posed.

The Impact of a Ransomware Attack 

Ransomware attacks have increased four fold over the past two years with the UK being one of main targets for ransomware attacks as we are perceived to be a destination that will readily pay the ransom.

One report has collected data which reveals that 54% of UK businesses have been targeted with a ransomware attack where revenue has been lost and in extreme circumstances the businesses have had to close. The impact of a ramsomware attack can also cause reputational issues to a business that they may never recover from.

With the General Data Protection Regulations (GDPR) coming into force on the 25th May next year the emphasis of protecting personal data is increasing. If a ransomware attack encrypts personal data and the business is unable to restore the data it is conceivable that the ICO would consider that the business has not taken appropriate measures to keep the data safe and as a result in breach of the Data Protection Act.

The WannaCry Attack

The ransomware attack affected approximately 200,000 computers in 150 countries on 12th May . The most high profile organisation hit by this attack in the UK was the NHS . Outside of this, Renault, Nissan, FedEx and Telefonica were also hit by this indiscriminate cyber attack that appear to target legacy software that had not been updated. Organizations that still utilized Windows XP were particularly hard hit as this contained certain software vulnerabilities.

Managing the Ransomware Cyber Risk

Businesses should consider the following:-

  • Adequate Back Up and Recovery of computer systems
  • Patch Management of all systems with particular attention to older systems
  • Staff Training to raise awareness of what to look for in a ransomware attack
  • Regular Firewall Management
  • The Purchase of Cyber Insurance

The National Cyber Security Centre offer some excellence guidance on their website entitled “Protecting your organization from ransomware” at the attached link :-

https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

How Cyber Insurance Can Help 

Cyber Insurance is a modular policy and it is possible to purchase specific areas of coverage tailored to a businesses requirements.

Cyber Extortion Coverage

This includes the negotiations with hackers and payment of the actual ransom

Forensic Investigation

This determines what data was compromised and how the systems were accessed

Data Restoration

This covers costs associated with trying to unencrypt data and to assist with the back up of data.

Business Interruption

This module provides coverage for costs associated with costs incurred with increased costs of working and possible loss of profits.

There are now many strains of ransomware which are becoming increasing harder to manage , presenting a constant challenge for businesses to manage. Business do need to constantly review their cyber security risk management processes and procedures which will go some way in alleviating this evolving threat that this poses.