Aluminium manufacturer Norsk Hydro claims to have found the “root cause” of the global IT outage due to a cyberattack believed to have been caused by LockerGoga, a strain of ransomware that displays some very unusual behaviours, according to Cisco’s Talos Intelligence researchers.   Hydro’s worldwide IT network was paralyzed on Tuesday by the attack that started in one of its US operations and forced the company to print out lists to continue delivering orders of its aluminium-based products and components to customers around the world.  The company still cannot connect to the production systems in its rolled products unit but it expected to resume some systems during Wednesday to enable customer deliveries, according to Hydro’s latest update on Wednesday.  It’s also operating with a “higher degree of manual operation” for extruded solutions, which is still experiencing stoppages at several plants because it can’t connect to production systems.        The company, which employs 35,000 people across 40 countries, said on Wednesday that it doesn’t have a timeline to full recovery of IT operations, nor an estimate of the financial impact of the cyber attack.  Hydro’s CFO Eivind Kallevik said at a press conference on Tuesday that the company did have cyber insurance and, when asked whether it would pay a ransom, said Hydro intended to rely on backups of its data to restore IT systems.  Norway’s official cyber security authorities confirmed to media on Tuesday that Hydro was infected by LockerGoga, a relatively new strain of ransomware.  LockerGoga is an odd example of ransomware, according to researchers at Cisco’s Talos Intelligence group who have analyzed several samples of it.  First, it’s not clear yet whether LockerGoga is actual ransomware like SamSam and many other examples of sophisticated for-profit ransomware; or if, like NotPetya and WannaCry it is a data-wiper dressed up as ransomware, designed to destroy a victim’s digital assets whether or not a victim follows suggested instructions to pay a ransom.  Talos researchers conclude, based on examinations of several samples of LockerGoga, that it “straddles the line” between ransomware and a straight-up data wiper like the Destover trojan that destroyed Sony Pictures Entertainment’s data and master boot records in 2014.

Read full news article on CSO