Anatomy of a Breach

Anatomy of a Breach: Norsk Hydro — LockerGoga Ransomware Shuts Down a Global Aluminium Manufacturer

> series: anatomy_of_a_breach —— part: 123 —— target: norsk_hydro —— ransomware: lockergoga —— cost: $75,000,000 —— ransom_paid: none<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2019 14 min read
ransomware norsk-hydro lockergoga manufacturing ot-security aluminium incident-response series
Breach #123

A global aluminium manufacturer. Manual smelting operations. $75 million to recover. Zero paid in ransom.

On 19 March 2019, Norsk Hydro — one of the world's largest aluminium producers, with operations in 40 countries and 35,000 employees — was hit by LockerGoga ransomware that encrypted IT systems across its global operations. Automated production lines were shut down. Smelting plants — which run continuous processes that cannot simply be stopped — switched to manual operations. Office workers were locked out of all computer systems. The company reverted to paper-based processes across its worldwide operations.

Hydro's response became a benchmark for incident management. The company refused to pay the ransom, communicated transparently with stakeholders through regular press conferences (initially using a backup laptop and 4G connection), and methodically rebuilt its IT infrastructure from backups over the following weeks. CEO Svein Richard Brandtzæg personally fronted communications. The total cost exceeded $75 million — but the company's reputation emerged enhanced rather than damaged, because of how it handled the crisis.

Manufacturing Under Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When ransomware hits a smelter, you cannot just 'switch it off'.

Aluminium smelting is a continuous process — molten metal at 960°C cannot be safely stopped and restarted. When LockerGoga encrypted Hydro's IT systems, the smelting plants could not simply shut down — they had to continue operating with manual controls, paper records, and verbal communication. This is the nightmare scenario for manufacturing: ransomware that disrupts not just IT but physical production processes with safety implications.

IT/OT Convergence Risk
Hydro's IT systems were encrypted; its OT (operational technology) systems in the smelters continued running but without the IT-dependent automation, monitoring, and quality control systems. This IT/OT dependency is the same convergence risk identified in our <a href="/blog/anatomy-of-a-breach-stuxnet">Stuxnet</a> (2010) and <a href="/blog/sector-under-the-microscope-manufacturing">manufacturing sector</a> analyses. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses IT/OT boundary security.
Exemplary Incident Response
Hydro's transparency — holding press conferences, publishing recovery progress updates, and refusing to pay — was widely praised as a model for corporate incident response. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides the incident response planning and execution capability that enables this standard of crisis management.
Rebuilt from Backups
Hydro recovered without paying because it had functional backups. The recovery took weeks and cost $75 million — but the alternative (paying an unknown amount to criminals with no guarantee) was worse. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates backup integrity and recovery procedures.
$75 Million Recovery vs Unknown Ransom
The $75 million recovery cost was enormous — but Hydro's insurance covered a significant portion, and the company's reputation was preserved. Paying the ransom would have funded further attacks and provided no guarantee of recovery. <a href="/cyber-essentials">Cyber Essentials</a> reduces the risk of ransomware infection in the first place.
Manufacturing Sector Defence

Ransomware against manufacturing has physical consequences.

The Norsk Hydro attack confirmed what Stuxnet (2010), Shamoon (2012), and the Ukraine power grid attack (2015) had established: cyber attacks against industrial and manufacturing operations can have physical consequences. For UK manufacturers, the Hydro case is directly relevant — and the defence requires both IT security (patching, MFA, monitoring) and OT resilience (manual operation procedures, IT/OT segmentation, tested recovery plans).

Cyber Essentials certification establishes IT security baseline. Our infrastructure penetration testing includes IT/OT boundary assessment. SOC in a Box for Manufacturing and Engineering provides 24/7 monitoring across IT and OT environments. And UK Cyber Defence provides the incident response and crisis management capability that Hydro demonstrated so effectively.

Manufacturing Ransomware Defence

Norsk Hydro: $75 million, zero ransom paid, reputation enhanced. Could your manufacturing operation say the same?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates IT/OT security and backup integrity. <a href="https://www.socinabox.co.uk/sectors/engineering-contractors">SOC in a Box for Manufacturing</a> monitors 24/7. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages the crisis.

Commission a Manufacturing Assessment Next: Facebook Plaintext Passwords
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 August 2025

Anatomy of a Breach: Collins Aerospace — Ransomware Grounds Passenger Processing at Heathrow, Brussels, and Berlin Airports

Breach #200. In August 2025, a ransomware attack on Collins Aerospace's MUSE passenger processing system disrupted operations at several major European airports including Heathrow, Brussels, and Berlin. The MUSE system handles check-in, boarding, and flight management functions. The attack, claimed by the Everest cybercrime group, forced airports to resort to manual check-in processes — creating long queues and flight delays. The incident demonstrated that aviation's dependency on shared technology platforms creates concentration risk where a single vendor compromise can disrupt airports across multiple countries simultaneously.

collins-aerospace muse
13 min read
All Posts Get in Touch