Norsk Hydro Ransomware Attack: Lessons Every Manufacturer Must Learn
On 19 March 2019, Norsk Hydro — one of the world's largest aluminium producers — woke up to find LockerGoga ransomware spreading across its global network. Within hours, 22,000 computers at 160 sites in 40 countries were encrypted. The company faced an impossible choice: pay a ransom of unknown size to criminal actors, or rebuild from scratch. They chose to rebuild — a decision that took months and cost over $70 million. Norsk Hydro's response, conducted entirely in public with daily video updates, has become a case study in transparent incident management. Their experience contains essential lessons for every manufacturer.
Norsk Hydro's 2019 ransomware attack cost $70 million and disrupted 160 production sites globally — the company refused to pay and rebuilt entirely from backups.
How the Norsk Hydro Attack Unfolded
LockerGoga entered Norsk Hydro's network months before the ransomware was deployed — initial access was achieved through a phishing email that compromised credentials, followed by a period of quiet reconnaissance and privilege escalation. When the attackers activated the ransomware, it spread across both IT and OT networks simultaneously. The attack targeted domain controllers first — encrypting these systems maximised disruption and prevented automated recovery. Aluminium smelters were particularly affected — while the physical smelting process could continue manually, the control systems managing the process parameters were encrypted. The company rapidly switched to manual operations at most sites, with some production fully halted.
The Five Most Important Lessons from Norsk Hydro
Five key lessons from Norsk Hydro apply directly to UK manufacturers: 1) Pre-position incident response resources — Norsk Hydro's relationship with Microsoft's DART team enabled rapid expert support; without this relationship, response would have been slower and more expensive. 2) Tested offline backups enable recovery without ransom payment — Norsk Hydro's decision not to pay was only possible because they had backups. Test yours. 3) MFA on all privileged accounts would have stopped lateral movement — the attack exploited domain administrator credentials accessed via compromised workstations. 4) IT-OT segmentation limits production impact — sites with better network segmentation maintained production more effectively. 5) Transparent communication builds trust — Norsk Hydro's daily video updates to customers, investors, and the public were later cited as a model for incident communication.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.