One of the world’s largest aluminium maker heavyweights recently suffered a ransomware attack from an unknown hacker, which halted some of its key operations across 160 plants worldwide, causing a loss of USD 35-41 million in the first week.
Its systems were infected with a strain of ransomware known as LockerGoga, which immediately disrupted some production units. These units included their main source of production, which is still struggling to recover, according to an executive company representative.
Meanwhile other units, including their primary metals business, were able to switch to manual operation and workaround solutions to resume business as usual.
So far, no safety incidents have been reported for the company's employees.
High production and operational toll
The manufacturer is currently operating at 70% to 80% across three business units — Europe, North America and Tubing. However, this production excludes their building systems business unit, which is not performing at all.
The manufacturer converts aluminium blocks into components for carmakers and builders, among other industries.
This operational standstill could have a detrimental knock on effect for all of their client companies, while employees work hard to restore their IT systems back to functionality. The company hopes to achieve reasonable levels of production and shipments soon.
Refused to pay ransom demands
The company has publicly refused to give in to the hacker’s demands and pay the ransom. Instead choosing to restore their IT systems from back up servers safely and limiting the impact on staff, operations, customers, suppliers, and partners.
This plan involves screening all computers and servers across the business, cleaning and rebuilding all of those infected with ransomware from back-ups.
Public reports of the initial infection show that the attackers did not specify a ransom amount, instead specifying that the amount would depend on how fast the company contacted the criminals.
Firms in this situation have a two-fold decision to make regarding paying ransom — both principle and economic.
Some companies decide in advance that their core principles prohibit the payment of any ransom, however small, while others decide to take a balanced view in light of the specific facts of the case.
From an economic perspective, the decision to pay or attempt to recover is generally more straightforward.
Full recovery will take weeks or more
One of the possible consequences of not paying the ransom is that the decryption process and subsequent system recovery could now take longer than if the aluminium manufacturer chose to concede. Current estimations for resuming business as usual are a few weeks or more.
In the meantime, the utility company is focused on getting all relevant IT support functions back up and running, including payroll, treasury and reporting, using interim alternative solutions where necessary and possible.
The company needs to ensure that their C-suite remains engaged throughout the process and that their backup servers remain complete, unaffected by the ransomware and functional before they attempt to restore them.
The company employed the assistance of experienced technology vendors with special knowledge on ransomware to recover their IT systems and prevent further damage occurring.
It hasn’t been revealed yet whether this panel of expert vendors were sourced by their cyber insurer or independently, but most insurers offer this form of breach recovery support.
Unlike some ransomware victims, this manufacturer was prepared for the attack with up-to-date, secure backups, the technology to restore the data from said backups, and a “solid” cyber insurance policy.
They had already utilised the cloud for email systems, which meant that communication continued as usual post attack via smartphones and tablet devices, despite the unfortunate system shutdown.
Following the cyber incident, they immediately sprang into action, engaging law enforcement and overseas tech vendors. They also made an admirable effort to keep stakeholders and customers informed throughout the disaster. This public response included daily social media posts and webcasts, including their recent YouTube video.
This proactivity will surely help to soften the reputational blow of the attack.
Unknown if adequate insurance is in place
Since the ransomware attack, their share value has decreased by 1.9% and there has only been a 0.5% increase in Norway’s benchmark stock index.
The majority of their USD 41+ million loss has been the result of lost profit margins and the sheer volume of clients awaiting the manufacturer's productions.
Full details of the insurance coverage are yet to be disclosed. As it stands, the company was insured for cyber risks by lead insurer AIG, but the limits and conditions of the policy are unknown. In many cases companies do not purchase adequate cyber insurance to cover catastrophic incidents like this one, even though it is commercially available.
It is prudent to consider incidents like this one when evaluating both the limits and deductibles of cyber insurance programmes.