Is this the ‘gold standard’ response to ransomware?

The Norwegian aluminum producer Hyrdro has been praised for its refusal to negotiate.
25 June 2019

Hydro’s pilot plant in Karmøy. Source: Hydro

A Norwegian manufacturing firm that was a target of LockerGoGa ransomware has been lauded for its refusal to pay its attackers and openness to discuss what happened. 

Hydro, one of the world’s biggest producers of aluminum, has spent more than £45 million (US$57 million) in efforts to return to full productivity— a sum that likely far surpasses what attackers would have requested if the firm had chosen to negotiate. 

In March this year, 22,000 computers were hit across the multinational’s 170 sites across 40 countries worldwide. All displayed the same message: “Your files have been encrypted with the strongest military algorithms […] without our special decoder it is impossible to restore the data.”

As a result, production lines were switched to manual operations and the companies’ 35,000 staff had to switch to pen and paper. The firm told the BBC that old manuals were taken out of storage and, in some cases, sales teams were requested to assist on the factory floors. 

While the firm’s recovery remains ongoing, Hydro’s response to ransomware has been regarded as the “gold standard” by law enforcement. For many companies, the temptation to quietly cough up for the key is just too much to resist.

The alternative could be the irretrievable loss of valuable data and the end of a long-built business. But every time an attack is successful, it increases the likelihood of further attempts and subsequently fuels a criminal industry and other organized crime. 

Last week, Business Insider reported that a Florida city council voted to pay a ransom of US$600,000 in Bitcoin to attackers that targeted its computer systems, affecting its email programs and 911 dispatch operations. 

The outcome was regarded as a “massive alarm bell” for the US, whose towns, cities and businesses would likely be wholly unprepared for similar, forthcoming attacks. 

In some cases, meanwhile, companies specializing in decrypting ransomware have been reported to have paid off attackers themselves if unable to crack it— reportedly without the victim’s knowledge on occasion.  

“I think in general it’s a very bad idea to pay,” Hydro’s Chief Information Officer, Joe De Vliegher, told the BBC. “It fuels an industry and it’s probably financing other sorts of crime. It goes against our company values and we have good foundations and good people.”

“But I understand why, for some companies who are less secure, this can be the only option,” he added.

Numerous studies into malware this year have reported a decline in ransomware variants. A report by Proofpoint into malicious computer programs found ransomware to be “virtually absent” from its research, comprising just “one-tenth of 1 percent” of malicious messages. 

The decline was attributed to the malware not generating enough return for it to be distributed at scale. Instead, it said attackers were favoring “direct extortion”, in which attackers threaten to reveal sensitive information or take destructive action if the victim doesn’t pay a fee. 

Not every company will be in a position to pay the reparations undertaken by Hydro, but not caving to ransomware should be the first consideration— it will help snuff out the industry and your company could gain some reputational integrity as a result.