{ "id": "40ff39e7-097a-4495-ae02-4e3fd711069b", "created_at": "2026-04-06T00:10:32.489166Z", "updated_at": "2026-04-10T03:24:29.621901Z", "deleted_at": null, "sha1_hash": "a83e7371b20ea193ecba27a9e6977d24495a1495", "title": "LockerGoga Ransomware Sends Norsk Hydro Into Manual Mode", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1238830, "plain_text": "LockerGoga Ransomware Sends Norsk Hydro Into Manual Mode\r\nBy Ionut Ilascu\r\nPublished: 2019-03-19 · Archived: 2026-04-05 22:25:38 UTC\r\nOne of the largest aluminum producers in the world, Norsk Hydro, has been forced to switch to partial manual operations\r\ndue to a cyber attack that is allegedly pushing LockerGoga ransomware.\r\nThe company announced today that it is the target of an extensive cyber attack that was noticed by the IT staff noticed late\r\nMonday (around midnight), CET, affecting computer systems in most business areas.\r\nLockerGoga ransomware is relatively new on the scene. Although it has made multiple victims, it gained public attention in\r\nJanuary in an attack against Altran Technologies, an engineering consulting firm operating at a global level, headquartered in\r\nParis, France.\r\nhttps://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nNorCERT warns companies on LockerGoga attack\r\nAccording to media outlet NRK, NorCERT alerted a number of partners about LockerGoga ransomware, warning that Norsk\r\nHydro is one of its victims.\r\nThe notification from Norway's cybersecurity body says that the attack involved Active Directory - used for authenticating\r\nand authorizing all users and systems on a Windows domain type network.\r\n\"NorCERT warns that Hydro is exposed to a LockerGoga attack. The attack was combined with an attack on Active\r\nDirectory (AD),\" reads the alert.\r\nHowever, Håkon Bergsjø, head of NorCERT, would not confirm for NRK that the attack targeted Active Directory servers in\r\nthe case of Norsk Hydro.\r\nBleepingComputer reached out to NorCERT but received no reply at the time of publishing.\r\nIn an 18-minute press conference today, the director of the Norwegian cybersecurity authority declined to publicly name\r\nLockerGoga as the culprit for the attack on Hydro. However, the director said that an infection with this ransomware is one\r\nof the theories.\r\nInformation about the malware is now collected through collaboration at national and international level.\r\nNorsk Hydro mum on attack details\r\nIn public statements today, Norsk Hydro did not comment on the nature of the attack but described a critical situation of an\r\nongoing event, saying that they \"are working to contain and neutralize the attack\" with external help.\r\nThe company has notified the relevant authorities and informed in an official update on Facebook that it \"is switching to\r\nmanual operations where possible.\"\r\nEivind Kallevik, Norsk Hydro CFO Eivind Kallevik during the press conference confirmed the ransomware infection.\r\nDescribing the situation as \"quite severe,\" the CFO added that good backup solutions and routines are in place. The main\r\nstrategy is to rely on them to restore all operations to normal and avoid paying the ransom.\r\nProduction losses are minimal, the Kallevik stated. Some facilities are running in manual mode, which implies more people\r\nworking in multiple shifts.\r\nPeople have not been endangered as a result of the cyber attack, which impacted operations in several business areas around\r\nthe globe.\r\nAs of today, the company is able to process all customer order and deliver on them. However, future requests might be\r\naffected because the entire network is currently down - the company website shows a 404 error.. Until the problem is solved,\r\nthe company has been organized to work 24/7.\r\nThe main priority at the moment is to ensure safe operations, limit operational and financial impact, to clean the infected\r\nservers and to reinstall them from backups.\r\nThere is no indication that power plants outside Norway are affected by the incident as all of them have been isolated from\r\nthe company's global network.\r\nUpdate [03.19.19, 11AM EST]: Norsk Hydro held a press conference to offer details about the cyberattack on its network.\r\nThe article has been updated with new information from the company's CFO Eivind Kallevik and the director of the\r\nNorwegian cybersecurity authority.\r\nhttps://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/\r\nhttps://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/" ], "report_names": [ "lockergoga-ransomware-sends-norsk-hydro-into-manual-mode" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434232, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a83e7371b20ea193ecba27a9e6977d24495a1495.pdf", "text": "https://archive.orkl.eu/a83e7371b20ea193ecba27a9e6977d24495a1495.txt", "img": "https://archive.orkl.eu/a83e7371b20ea193ecba27a9e6977d24495a1495.jpg" } }