Norwegian aluminum giant Norsk Hydro estimates that it may have lost more than $40 million in the first week following the ransomware attack that disrupted its operations.
In an update shared on Tuesday, the company said it’s too soon to provide precise information on the financial impact resulting from the cyberattack, but a rough estimate puts losses at between 300-350 million Norwegian crowns ($35 – $41 million). A majority of that amount represents losses in the Extruded Solutions area, which has been hit the hardest.
“Hydro has a solid cyber risk insurance policy with recognized insurers, with global insurer AIG as lead,” the company stated.
On Tuesday, Hydro reported a production rate of 70-80% in Extruded Solutions, including Extrusion Europe, Extrusion North America and Precision Tubing. However, the Building Systems unit is almost completely shut down. On Friday, the Extruded Solutions unit had been running at roughly 50% of normal capacity.
“Based on current progress the expectation is for Building Systems to gradually ramp up production and shipments during the week,” the company said.
Hydro believes it could take weeks to fully restore all impacted systems.
The organization’s systems were infected with a piece of file-encrypting ransomware — believed to be a version of LockerGoga — starting on March 18. The incident caused disruptions at several of its plants, forcing workers to rely on manual processes.
The company believes it has cleaned up all infected servers and computers, and says it has begun restoring data. Shortly after the incident came to light, the firm indicated that it had good backups in place and it did not intend on paying any ransom.
A few days after Hydro disclosed the breach, two major US-based chemical companies, Hexion and Momentive, also reported being hit by a cyberattack and it’s believed that the LockerGoga ransomware was involved in these incidents as well. The chemical firms were less transparent, but some reports claim the attack took place prior to the Hydro incident and they were forced to replace hundreds of computers.
Researchers have been keeping a close eye on LockerGoga. Some have found that the threat does not encrypt files if certain types of Windows shortcut files are found in a specific folder. Others noticed that some of the later versions logged users out of compromised systems, which would have prevented victims from seeing the ransom note.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
