Norsk Hydro
Company Details
Linkedin ID:
norsk-hydro
Website:
Employees number:
13,004
Number of followers:
362,637
NAICS:
212
Industry Type:
Homepage:
hydro.com
IP Addresses:
10
Company ID:
NOR_9295674
Scan Status:
Completed
Norsk Hydro Company CyberSecurity Posture
hydro.com
Hydro is a leading industrial company that builds businesses and partnerships for a more sustainable future. We develop industries that matter to people and society. Since 1905, Hydro has turned natural resources into valuable products for people and businesses, creating a safe and secure workplace for our 31,000 employees in more than 140 locations and 40 countries. Today, we own and operate various businesses and have investments with a base in sustainable industries. Hydro is through its businesses present in a broad range of market segments for aluminium, energy, metal recycling, renewables and batteries, offering a unique wealth of knowledge and competence. Hydro is committed to leading the way towards a more sustainable future, creating more viable societies by developing natural resources into products and solutions in innovative and efficient ways.
Norsk Hydro A.I CyberSecurity Scoring
Norsk Hydro Risk Score (AI oriented)Between 0 and 549
Norsk Hydro
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Norsk Hydro Global Score (TPRM)XXXX
Norsk Hydro
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Norsk Hydro Company CyberSecurity News & History
Past Incidents
11
Attack Types
4
Norsk Hydro
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Norsk Hydro, one of the world's largest aluminum companies, faced a severe cyberattack that halted production lines at some of its 170 plants and pushed other facilities to switch from computer to manual operations. The incident, caused by LockerGoga ransomware, began with an infected email and eventually affected all 35,000 employees across 40 countries, locking files on thousands of servers and PCs. The financial impact neared $71 million. Despite the crisis, Norsk Hydro refused to pay the ransom, opting for transparency and collaborating with Microsoft's cybersecurity team to restore operations. This approach, contrasting the typical secrecy following such breaches, earned global commendation.
Norsk Hydro
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In March, Norsk Hydro, one of the world's largest aluminum producers, fell victim to a ransomware attack that brought production to a standstill at some of its 170 plants, forcing others to switch to manual operations. The breach ultimately impacted all 35,000 employees across 40 countries, with the financial toll nearing $71 million. The attack commenced when an employee inadvertently opened a malicious email from a trusted customer. LockerGoga ransomware encrypted files across thousands of the company’s servers and PCs, displaying a ransom note demanding payment in bitcoins for decryption. Norsk Hydro responded by refusing to pay the ransom, collaborating with Microsoft's cybersecurity team to restore operations, and maintaining full transparency about the breach to help others learn from their experience.
Norsk Hydro
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In March, Norsk Hydro, one of the world's largest aluminum companies, experienced a significant cyberattack that shut down production lines across its 170 plants, and led to a switch from computer to manual operations at some of its facilities. The attackers used a malware called 'LockerGoga' to encrypt files on thousands of servers and PCs, affecting all 35,000 employees in 40 countries. The financial impact of the attack reached approximately $71 million. The breach occurred due to an employee opening an infected email, leading to a severe compromise of the company's IT infrastructure. Despite the extensive damage, Norsk Hydro chose not to pay the ransom and instead worked on restoring their data from backups and improving their cybersecurity posture with the help of Microsoft's cybersecurity team.
Norsk Hydro
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In March 2019, Norsk Hydro, one of the world's largest aluminum companies, suffered a severe ransomware attack that halted production lines and forced some of its 170 plants to switch from computer to manual operations. The breach impacted all 35,000 employees across 40 countries, locking files on thousands of servers and PCs. The financial toll approached $71 million. The breach began when an employee unknowingly opened an infected email from a trusted customer, leading to a widespread Lockergoga ransomware infection. Despite the havoc, Norsk Hydro chose not to pay the ransom, instead opting to restore data from backup servers and enlisted Microsoft's cybersecurity team for support. The company's transparent response to the cyberattack, including daily webcasts and press conferences, was widely praised.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In 2019, **Norsk Hydro**, a Norwegian aluminum manufacturing giant, fell victim to a **LockerGoga ransomware attack** orchestrated by Ukrainian national Volodymyr Viktorovich Tymoshchuk. The attack crippled the company’s global operations, forcing a shift to manual processes across 170 sites in 40 countries. Production lines halted, IT systems were encrypted, and employees resorted to pen-and-paper methods, causing **operational chaos and financial losses estimated at $75 million** in the first week alone. The attack disrupted supply chains, delayed shipments, and required a months-long recovery effort, including full IT infrastructure rebuilds. While no customer or employee data was confirmed stolen, the **business outage and reputational damage** were severe. The incident also exposed vulnerabilities in critical industrial control systems, prompting industry-wide cybersecurity overhauls. Tymoshchuk’s ransomware strain was designed to maximize disruption, encrypting files and locking users out of systems until ransom demands—reportedly in the **millions of dollars**—were met. The attack remains one of the most financially damaging ransomware incidents against a single corporation, illustrating the **existential threat** such cyberattacks pose to industrial sectors.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: Norsk Hydro, a Norwegian aluminium and renewable energy company, was one of the most high-profile victims of the **LockerGoga ransomware** attack in **March 2019**, orchestrated by the cybercriminal group linked to **Tymoshchuk Volodymyr Viktorovych (alias Deadforz)**. The attack crippled Hydro’s global operations, forcing the shutdown of **smelting plants, production lines, and IT systems** across **170 sites in 40 countries**. Employees reverted to manual processes, causing **massive operational disruptions**, delayed shipments, and financial losses estimated at **$40–71 million** in the first week alone. The ransomware encrypted critical files, halting automated production and supply chain coordination.Hydro refused to pay the ransom, instead investing in **full system restoration**—a process that took **weeks to months** for complete recovery. The attack exposed vulnerabilities in industrial control systems (ICS) and highlighted the **catastrophic risk of ransomware on manufacturing sectors**. While no **direct data breach** of customer or employee records was confirmed, the **operational paralysis** threatened Hydro’s market position and triggered industry-wide alarms about cyber-physical risks in heavy industries. The incident remains a benchmark for **ransomware’s potential to disrupt global supply chains** and served as a catalyst for stricter cybersecurity regulations in critical infrastructure sectors.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In March 2019, Norsk Hydro, a global aluminum company, was hit by LockerGoga ransomware affecting all 35,000 employees across 40 countries, disrupting production lines, and forcing manual operations. The financial impact was near $71 million as hackers deployed the ransomware through a trusted customer's infected email opened by a Norsk Hydro employee. Despite the severity, Norsk Hydro made three decisions: refusing to pay the ransom, collaborating with Microsoft’s cybersecurity team to restore operations, and maintaining transparency throughout the crisis. This approach of sharing their experience publicly received worldwide praise.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Norsk Hydro, a global aluminum company, experienced a severe ransomware attack that ceased operations at some of its 170 plants. The breach impacted all 35,000 employees across 40 countries by locking files on thousands of servers and PCs. Initiated by an infected email from a customer, the breach allowed hackers to plant LockerGoga ransomware, leading to financial damages nearing $71 million. The company's transparency and decision not to pay the ransom were acclaimed by security experts, and they leaned on Microsoft's cybersecurity team for recovery and restoration.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the economy of a geographical region
Description: Norwegian aluminum producer Norsk Hydro fell victim to a ransomware attack in March 2019. The attack affected its world wide operations as the company took preventive steps to contain the attack. The attack cost about 800 million and 1 billion to the company as the attackers logged employees out of company systems and made it impossible for them to work.
Norsk Hydro
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Norsk Hydro, one of the world's largest aluminum companies, faced a severe cyberattack in March, ultimately affecting all 35,000 employees across 40 countries. The attack, initiated by an infected email from a trusted customer, caused production lines to halt and forced some facilities to switch to manual operations. The financial impact approached $71 million. Despite the scale of the attack, the company chose not to pay the ransom, instead opting to restore data from backup servers and seek assistance from Microsoft's cybersecurity team. Norsk Hydro's transparent response to the breach was praised for helping to expose the tactics of cyber criminals and possibly preventing similar future threats.
Norsk Hydro
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Norsk Hydro, one of the world's largest aluminum companies, faced a significant cyberattack in March, affecting all 35,000 employees across 40 countries. An employee's opening of an infected email from a trusted customer initiated the breach, leading to the encryption of thousands of servers and PCs. This action rendered production lines at some of its 170 plants inoperable, with financial ramifications nearing $71 million. The incident, propelled by the ransomware LockerGoga, forced Norsk Hydro into emergency response, opting against paying the ransom and focusing on restoration and openness. Their strategy included engaging Microsoft’s cybersecurity team for recovery efforts and adopting a transparent communication approach about the breach's details and response, earning global security praise.
Norsk Hydro Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Norsk Hydro
Incidents vs Mining Industry Average (This Year)
No incidents recorded for Norsk Hydro in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Norsk Hydro in 2025.
Incident Types Norsk Hydro vs Mining Industry Avg (This Year)
No incidents recorded for Norsk Hydro in 2025.
Incident History — Norsk Hydro (X = Date, Y = Severity)
Norsk Hydro cyber incidents detection timeline including parent company and subsidiaries
Norsk Hydro Company Subsidiaries
Hydro is a leading industrial company that builds businesses and partnerships for a more sustainable future. We develop industries that matter to people and society. Since 1905, Hydro has turned natural resources into valuable products for people and businesses, creating a safe and secure workplace for our 31,000 employees in more than 140 locations and 40 countries. Today, we own and operate various businesses and have investments with a base in sustainable industries. Hydro is through its businesses present in a broad range of market segments for aluminium, energy, metal recycling, renewables and batteries, offering a unique wealth of knowledge and competence. Hydro is committed to leading the way towards a more sustainable future, creating more viable societies by developing natural resources into products and solutions in innovative and efficient ways.
Loading...
Norsk Hydro Similar Companies
Salzgitter AG
Salzgitter AG ranks among the leading steel technology groups with € 9 billion in external sales, a crude steel capacity of 7 million tons and a workforce of 25,000 employees. It is one of Europe's largest steel producers and the global market leader in the large-diameter pipes business. The Group
Yamana Gold Inc.
Canadian-based gold producer with operations and projects in the Americas Producteur d’or basé au Canada avec des sites miniers et des projets dans les Amériques ------------------------------------------------------------------------------------------------------------------------------------------
Aperam
Aperam is a world-leading stainless steel company with sustainability at its heart. Since its launch in 2011, Aperam has become an undisputable global player in stainless, electrical, and specialty steel. With a flat stainless and electrical steel production capacity of 2.5 million tonnes in Brazil
Eramet
Committed to sustainable metals. Eramet transforme les ressources minérales de la Terre pour apporter des solutions durables et responsables à la croissance de l’industrie et aux défis de la transition énergétique Ses collaborateurs s’y engagent par leur démarche citoyenne et contributive
SUEK
A major producer of thermal coal: no. 1 in Russia. In 2008, the production volume was 96.2 million tons. One of the main coal exporters: no. 1 in Russia. One of the key private investors in the power generation sector. One of the major job providers in the country: about 46,000 employees in 10 reg
First Quantum Minerals
First Quantum Minerals Ltd. is a global mining company producing copper and nickel, as well as gold and cobalt. Our growing portfolio of operations and projects spans four continents and employs around 20,000 people. We are well-known for our ‘can do’ attitude and specialist technical, project mana
Glencore is one of the world’s largest global diversified natural resource companies and a major producer and marketer of more than 60 commodities that advance everyday life. Through a network of assets, customers and suppliers that spans the globe, we produce, process, recycle, source, market and d
Alcoa (NYSE: AA) is a global industry leader in bauxite, alumina and aluminum products with a vision to reinvent the aluminum industry for a sustainable future. With a values-based approach that encompasses integrity, operating excellence, care for people and courageous leadership, our purpose is to
Gerdau
With a history spanning 122 years, Gerdau is Brazil's largest steel producer, one of the leading producers of long steel in the Americas and of special steel in the world. In Brazil, Gerdau also produces flat steel and iron ore for its own use. Gerdau also has a new business division, Gerdau Next, w
.png)
Norsk Hydro CyberSecurity News
September 10, 2025 07:00 AM
Uncle Sam indicts alleged ransomware kingpin tied to $18B in damages
A Ukrainian national faces serious federal charges and an $11 million bounty after allegedly orchestrating ransomware operations that caused...
September 10, 2025 07:00 AM
U.S. places $11 million bounty on Ukrainian ransomware mastermind — Tymoshchuk allegedly stole $18 billion from large companies over 3 years
Volodymyr Tymoshchuk has been indicted by the United States for his involvement in ransomware crimes that stole an estimated $18 billion...
June 30, 2025 07:00 AM
Hackers Breach Norwegian Dam, Triggering Full Valve Opening
Hackers successfully took control of critical operational systems at a dam facility near Risevatnet in Bremanger, Norway, during April.
April 28, 2025 07:00 AM
How to go analogue during a cyber crisis
When ransomware knocks businesses offline, it's often trusty old pen and paper that comes to the rescue. Preparing for this switch to analogue can help...
December 24, 2024 08:00 AM
How to Get a Cybersecurity Analyst Role in Norway?
To secure a cybersecurity analyst role in Norway, start with a bachelor's in computer science and obtain certifications like CISSP and CEH.
December 24, 2024 08:00 AM
Top In-Demand CyberSecurity Jobs for Beginners in Norway
Norway's cybersecurity job market is booming, with a projected 7.04% annual growth until 2029, creating opportunities in tech,...
December 24, 2024 08:00 AM
Norway Cybersecurity Job Market: Trends and Growth Areas for 2024
Norway's cybersecurity job market is set to expand significantly in 2024, valued at $821.50 million. Key growth areas include cloud security, incident response...
October 27, 2024 04:06 PM
Critical Infrastructure Reps Fear What Hackers Might Do to Them in 2019
Incidents like the attack on Norsk Hydro are expected to grow more common, according to a survey on cybersecurity trends in industries using industrial...
October 26, 2024 10:54 PM
Ransomware blitzkrieg has already cost Norsk Hydro $40 million
The ransomware attack on Norsk Hydro reported last week has so far cost the company NOK 300-350 million or around $40 million (€36 million).
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Norsk Hydro CyberSecurity History Information
Official Website of Norsk Hydro
The official website of Norsk Hydro is http://www.hydro.com.
Norsk Hydro’s AI-Generated Cybersecurity Score
According to Rankiteo, Norsk Hydro’s AI-generated cybersecurity score is 451, reflecting their Critical security posture.
How many security badges does Norsk Hydro’ have ?
According to Rankiteo, Norsk Hydro currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Norsk Hydro have SOC 2 Type 1 certification ?
According to Rankiteo, Norsk Hydro is not certified under SOC 2 Type 1.
Does Norsk Hydro have SOC 2 Type 2 certification ?
According to Rankiteo, Norsk Hydro does not hold a SOC 2 Type 2 certification.
Does Norsk Hydro comply with GDPR ?
According to Rankiteo, Norsk Hydro is not listed as GDPR compliant.
Does Norsk Hydro have PCI DSS certification ?
According to Rankiteo, Norsk Hydro does not currently maintain PCI DSS compliance.
Does Norsk Hydro comply with HIPAA ?
According to Rankiteo, Norsk Hydro is not compliant with HIPAA regulations.
Does Norsk Hydro have ISO 27001 certification ?
According to Rankiteo,Norsk Hydro is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Norsk Hydro
Norsk Hydro operates primarily in the Mining industry.
Number of Employees at Norsk Hydro
Norsk Hydro employs approximately 13,004 people worldwide.
Subsidiaries Owned by Norsk Hydro
Norsk Hydro presently has no subsidiaries across any sectors.
Norsk Hydro’s LinkedIn Followers
Norsk Hydro’s official LinkedIn profile has approximately 362,637 followers.
NAICS Classification of Norsk Hydro
Norsk Hydro is classified under the NAICS code 212, which corresponds to Mining (except Oil and Gas).
Norsk Hydro’s Presence on Crunchbase
Yes, Norsk Hydro has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/norsk-hydro.
Norsk Hydro’s Presence on LinkedIn
Yes, Norsk Hydro maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/norsk-hydro.
Cybersecurity Incidents Involving Norsk Hydro
As of November 27, 2025, Rankiteo reports that Norsk Hydro has experienced 11 cybersecurity incidents.
Number of Peer and Competitor Companies
Norsk Hydro has an estimated 3,667 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Norsk Hydro ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach, Ransomware, Vulnerability and Cyber Attack.
What was the total financial impact of these incidents on Norsk Hydro ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $818.67 billion.
How does Norsk Hydro detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with preventive steps to contain the attack, and third party assistance with microsoft's cybersecurity team, and remediation measures with data restoration from backups, and communication strategy with daily webcasts and press conferences, and third party assistance with microsoft's cybersecurity team, and communication strategy with transparency, and third party assistance with microsoft’s cybersecurity team, and communication strategy with transparent communication about the breach's details and response, and third party assistance with microsoft's cybersecurity team, and remediation measures with restoring data from backups, and recovery measures with improving cybersecurity posture, and third party assistance with microsoft's cybersecurity team, and remediation measures with restore data from backup servers, and communication strategy with transparent response, and third party assistance with microsoft's cybersecurity team, and communication strategy with full transparency, and third party assistance with microsoft’s cybersecurity team, and communication strategy with transparency, and third party assistance with microsoft's cybersecurity team, and recovery measures with restoration of systems, and communication strategy with transparency, and and third party assistance with law enforcement (fbi, europol, etc.), third party assistance with cybersecurity firms (e.g., bitdefender), and and containment measures with network isolation, containment measures with pre-encryption notifications by law enforcement, and remediation measures with data restoration from backups, remediation measures with decryptor tools (no more ransomware project), and recovery measures with system rebuilds, recovery measures with enhanced security protocols, and communication strategy with public indictment announcement, communication strategy with victim notifications, and and and third party assistance with europol, third party assistance with international law enforcement agencies (france, germany, netherlands, norway, switzerland, ukraine, uk, us), and and communication strategy with public engagement via eu most wanted portal, communication strategy with media releases by europol/us doj..
Incident Details
Can you provide details on each incident ?
Title: Ransomware Attack on Norsk Hydro
Description: Norwegian aluminum producer Norsk Hydro fell victim to a ransomware attack in March 2019. The attack affected its worldwide operations as the company took preventive steps to contain the attack. The attack cost about 800 million to 1 billion to the company as the attackers logged employees out of company systems and made it impossible for them to work.
Date Detected: March 2019
Type: Ransomware
Title: Norsk Hydro Ransomware Attack
Description: Norsk Hydro, a major aluminum company, experienced a ransomware attack in March 2019 that disrupted production lines and forced manual operations. The attack affected 35,000 employees across 40 countries, resulting in a financial loss of approximately $71 million. The breach was initiated by an employee opening an infected email, leading to the spread of the Lockergoga ransomware. Norsk Hydro did not pay the ransom, choosing instead to restore data from backups with the help of Microsoft's cybersecurity team.
Date Detected: March 2019
Type: Ransomware
Attack Vector: Phishing Email
Motivation: Financial Gain
Title: Norsk Hydro Ransomware Attack
Description: Norsk Hydro faced a severe cyberattack that halted production lines at some of its 170 plants and pushed other facilities to switch from computer to manual operations.
Type: Ransomware
Attack Vector: Infected email
Motivation: Financial gain
Title: Norsk Hydro Ransomware Attack
Description: Norsk Hydro, one of the world's largest aluminum companies, faced a significant cyberattack in March, affecting all 35,000 employees across 40 countries. An employee's opening of an infected email from a trusted customer initiated the breach, leading to the encryption of thousands of servers and PCs. This action rendered production lines at some of its 170 plants inoperable, with financial ramifications nearing $71 million. The incident, propelled by the ransomware LockerGoga, forced Norsk Hydro into emergency response, opting against paying the ransom and focusing on restoration and openness. Their strategy included engaging Microsoft’s cybersecurity team for recovery efforts and adopting a transparent communication approach about the breach's details and response, earning global security praise.
Date Detected: March 2019
Type: Ransomware Attack
Attack Vector: Phishing Email
Motivation: Financial Gain
Title: Norsk Hydro Ransomware Attack
Description: A significant cyberattack shut down production lines across Norsk Hydro's 170 plants, switching from computer to manual operations at some facilities. The attackers used 'LockerGoga' malware to encrypt files on thousands of servers and PCs, affecting all 35,000 employees in 40 countries. The breach occurred due to an employee opening an infected email, leading to a severe compromise of the company's IT infrastructure. Despite the extensive damage, Norsk Hydro chose not to pay the ransom and instead worked on restoring their data from backups and improving their cybersecurity posture with the help of Microsoft's cybersecurity team.
Date Detected: March
Type: Ransomware
Attack Vector: Email
Vulnerability Exploited: Phishing
Motivation: Financial
Title: Norsk Hydro Ransomware Attack
Description: Norsk Hydro, one of the world's largest aluminum companies, faced a severe cyberattack in March, ultimately affecting all 35,000 employees across 40 countries. The attack, initiated by an infected email from a trusted customer, caused production lines to halt and forced some facilities to switch to manual operations. The financial impact approached $71 million. Despite the scale of the attack, the company chose not to pay the ransom, instead opting to restore data from backup servers and seek assistance from Microsoft's cybersecurity team. Norsk Hydro's transparent response to the breach was praised for helping to expose the tactics of cyber criminals and possibly preventing similar future threats.
Date Detected: March 2019
Type: Cyberattack
Attack Vector: Phishing Email
Motivation: Financial
Title: Ransomware Attack on Norsk Hydro
Description: Norsk Hydro, one of the world's largest aluminum producers, was hit by a ransomware attack that impacted production at its plants and forced others to switch to manual operations.
Date Detected: March 2019
Type: Ransomware
Attack Vector: Malicious email
Motivation: Financial gain
Title: Norsk Hydro Ransomware Attack
Description: In March 2019, Norsk Hydro, a global aluminum company, was hit by LockerGoga ransomware affecting all 35,000 employees across 40 countries, disrupting production lines, and forcing manual operations. The financial impact was near $71 million as hackers deployed the ransomware through a trusted customer's infected email opened by a Norsk Hydro employee. Despite the severity, Norsk Hydro made three decisions: refusing to pay the ransom, collaborating with Microsoft’s cybersecurity team to restore operations, and maintaining transparency throughout the crisis. This approach of sharing their experience publicly received worldwide praise.
Date Detected: March 2019
Type: Ransomware
Attack Vector: Email
Motivation: Financial
Title: Norsk Hydro Ransomware Attack
Description: Norsk Hydro, a global aluminum company, experienced a severe ransomware attack that ceased operations at some of its 170 plants. The breach impacted all 35,000 employees across 40 countries by locking files on thousands of servers and PCs. Initiated by an infected email from a customer, the breach allowed hackers to plant LockerGoga ransomware, leading to financial damages nearing $71 million. The company's transparency and decision not to pay the ransom were acclaimed by security experts, and they leaned on Microsoft's cybersecurity team for recovery and restoration.
Type: Ransomware Attack
Attack Vector: Infected Email
Motivation: Financial Gain
Title: Indictment of Ukrainian National Volodymyr Viktorovich Tymoshchuk for Ransomware Attacks Using LockerGoga, MegaCortex, and Nefilim
Description: A U.S. federal court unsealed a May 2024 indictment charging Ukrainian national Volodymyr Viktorovich Tymoshchuk (alias: deadforz, Boba, msfv, farnetwork) for his alleged role as an administrator of ransomware strains LockerGoga, MegaCortex, and Nefilim. Between December 2018 and October 2021, Tymoshchuk targeted hundreds of organizations in the U.S. and Europe, causing millions in damages. Notable victims include Norsk Hydro (2019 LockerGoga attack, $104M in damages), Altran, Hexion, and Momentive. Tymoshchuk is currently a fugitive with an $11M U.S. State Department reward for information leading to his arrest. He faces charges including conspiracy to commit fraud, intentional damage to protected computers, and transmitting threats to disclose confidential information. Law enforcement disrupted some attacks by notifying victims pre-encryption. Decryptors for LockerGoga (2022) and MegaCortex (2023) were later released via the No More Ransomware Project. Europol-led operations in 2021 and 2023 resulted in arrests of 12+ affiliates across multiple countries.
Date Publicly Disclosed: 2024-05-28
Type: ransomware
Attack Vector: exploiting known vulnerabilitiespre-existing malware infections (e.g., Emotet, Qakbot)targeted phishing/social engineering
Threat Actor: Name: Volodymyr Viktorovich TymoshchukAliases: ['deadforz', 'Boba', 'msfv', 'farnetwork']Nationality: UkrainianAffiliation: ['LockerGoga', 'MegaCortex', 'Nefilim ransomware groups']Status: fugitiveReward: $11 million (U.S. State Department)
Motivation: financial gain (extortion)
Title: LockerGoga, MegaCortex, and Nefilim Ransomware Campaigns Linked to Fugitive Tymoshchuk Volodymyr Viktorovych
Description: A Ukrainian man, Tymoshchuk Volodymyr Viktorovych (aliases: Deadforz, Boba, Farnetwork, Msfv, Volotmsk), is wanted for deploying LockerGoga, MegaCortex, and Nefilim ransomware between 2018–2021. The campaigns targeted over 250 companies (primarily in the US) and caused an estimated $18 billion in global damages. Victims faced extortion demands or operational disruption. Tymoshchuk is linked to an organized crime network with roles including malware development, intrusion, and money laundering. He remains at large, with a $11 million US bounty for his capture. Several associates have been arrested in Ukraine.
Date Publicly Disclosed: 2025-09-09
Type: ransomware attack
Attack Vector: malware deploymentnetwork intrusiondata encryption
Threat Actor: Name: Tymoshchuk Volodymyr ViktorovychAliases: ['Deadforz', 'Boba', 'Farnetwork', 'Msfv', 'Volotmsk']Affiliation: Organized crime network (malware developers, intrusion experts, money launderers)Nationality: UkrainianPhysical Description: {'height': '180 cm', 'eye_color': 'brown', 'languages': ['Ukrainian']}Date Of Birth: 1996-10-02Status: Fugitive (wanted by France for computer crimes, extortion, racketeering; US charges for ransomware administration)Bounty: $11 million (US Department of Justice)
Motivation: financial gainextortiondisruption of business operations
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Phishing Email, Infected email from a trusted customer, Infected email, Infected Email, Malicious email, Trusted customer's infected email, Infected email from a customer and exploited vulnerabilitiespre-existing malware (Emotet/Qakbot)compromised credentials.
Impact of the Incidents
What was the impact of each incident ?
Incident : Ransomware NOR234225322
Financial Loss: 800 million to 1 billion
Systems Affected: company systems
Operational Impact: worldwide operations
Incident : Ransomware NOR451042824
Financial Loss: $71 million
Systems Affected: Thousands of servers and PCs
Operational Impact: Production lines halted, manual operations
Brand Reputation Impact: Praised for transparent response
Incident : Ransomware NOR505050724
Financial Loss: $71 million
Systems Affected: Production linesServersPCs
Operational Impact: Halted production linesSwitch to manual operations
Brand Reputation Impact: Global commendation for transparency
Incident : Ransomware Attack NOR707050724
Financial Loss: Approximately $71 million
Systems Affected: Thousands of servers and PCsProduction lines at some of its 170 plants
Brand Reputation Impact: Earned global security praise
Incident : Ransomware NOR442050724
Financial Loss: $71 million
Systems Affected: Thousands of servers and PCs
Downtime: Switch from computer to manual operations
Operational Impact: Shutdown of production lines across 170 plants
Incident : Cyberattack NOR443050724
Financial Loss: $71 million
Systems Affected: Production LinesManual Operations
Operational Impact: Production lines haltedFacilities switched to manual operations
Brand Reputation Impact: Positive for transparent response
Incident : Ransomware NOR307050724
Financial Loss: $71 million
Systems Affected: serversPCs
Operational Impact: Production standstill, switch to manual operations
Incident : Ransomware NOR423051324
Financial Loss: $71 million
Systems Affected: Production lines
Operational Impact: Manual operations
Brand Reputation Impact: Worldwide praise
Incident : Ransomware Attack NOR416051424
Financial Loss: $71 million
Systems Affected: Thousands of servers and PCs
Operational Impact: Ceased operations at some of its 170 plants
Incident : ransomware NOR5602456091025
Financial Loss: $100+ million (estimated, including $104M from LockerGoga alone)
Systems Affected: hundreds of organizations (U.S. and Europe)
Downtime: ['complete disruption of business operations (varies by victim)', 'Norsk Hydro: weeks of recovery']
Operational Impact: severe (encryption of critical systems, halted production)
Brand Reputation Impact: high (publicized attacks on major firms like Norsk Hydro)
Legal Liabilities: potential lawsuits from victimsregulatory fines (if applicable)
Identity Theft Risk: high (if PII was exfiltrated)
Payment Information Risk: high (if financial data was exfiltrated)
Incident : ransomware attack NOR1832118091625
Financial Loss: $18 billion (estimated global damages)
Systems Affected: 250+ companies (primarily in the US) and additional international victims
Operational Impact: network cripplingbusiness disruptiondata leakage threats
Legal Liabilities: potential lawsuits from victimsregulatory penalties
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $74.42 billion.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Corporate Data, Potentially Pii/Financial Data (Varies By Victim), , Sensitive Corporate Data, Potentially Pii and .
Which entities were affected by each incident ?
Incident : Ransomware NOR234225322
Entity Name: Norsk Hydro
Entity Type: Company
Industry: Aluminum Production
Location: Norway
Incident : Ransomware NOR451042824
Entity Name: Norsk Hydro
Entity Type: Company
Industry: Aluminum
Location: Global, across 40 countries
Size: 35,000 employees
Incident : Ransomware NOR505050724
Entity Name: Norsk Hydro
Entity Type: Company
Industry: Aluminum production
Location: 40 countries
Size: 35,000 employees
Incident : Ransomware Attack NOR707050724
Entity Name: Norsk Hydro
Entity Type: Aluminum Company
Industry: Manufacturing
Location: 40 countries
Size: 35,000 employees
Incident : Ransomware NOR442050724
Entity Name: Norsk Hydro
Entity Type: Company
Industry: Aluminum
Location: Global (40 countries)
Size: 35,000 employees
Incident : Cyberattack NOR443050724
Entity Name: Norsk Hydro
Entity Type: Company
Industry: Aluminum Production
Location: Global
Size: 35,000 employees
Incident : Ransomware NOR307050724
Entity Name: Norsk Hydro
Entity Type: Corporate
Industry: Aluminum Production
Location: Global
Size: 35,000 employees
Incident : Ransomware NOR423051324
Entity Name: Norsk Hydro
Entity Type: Company
Industry: Aluminum
Location: Global
Size: 35,000 employees
Incident : Ransomware Attack NOR416051424
Entity Name: Norsk Hydro
Entity Type: Global Aluminum Company
Industry: Aluminum
Location: 40 countries
Size: 35,000 employees
Incident : ransomware NOR5602456091025
Entity Name: Norsk Hydro
Entity Type: public company
Industry: aluminum manufacturing
Location: Norway
Size: large (global enterprise)
Incident : ransomware NOR5602456091025
Entity Name: Altran
Entity Type: private company
Industry: engineering consulting
Location: France
Size: large
Incident : ransomware NOR5602456091025
Entity Name: Hexion
Entity Type: private company
Industry: chemical manufacturing
Location: U.S.
Size: large
Incident : ransomware NOR5602456091025
Entity Name: Momentive
Entity Type: private company
Industry: materials science/manufacturing
Location: U.S.
Size: large
Incident : ransomware NOR5602456091025
Entity Name: 250+ U.S. companies (unspecified)
Industry: healthcare, industrial, manufacturing, other sectors
Location: U.S.
Incident : ransomware NOR5602456091025
Entity Name: Hundreds of European organizations (unspecified)
Location: Europe
Incident : ransomware attack NOR1832118091625
Entity Type: private companies, enterprises
Location: United StatesFranceGermanyNetherlandsNorwaySwitzerlandUkraineUnited Kingdomother international victims
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Ransomware NOR234225322
Containment Measures: preventive steps to contain the attack
Incident : Ransomware NOR451042824
Third Party Assistance: Microsoft's cybersecurity team
Remediation Measures: Data restoration from backups
Communication Strategy: Daily webcasts and press conferences
Incident : Ransomware NOR505050724
Third Party Assistance: Microsoft'S Cybersecurity Team.
Communication Strategy: Transparency
Incident : Ransomware Attack NOR707050724
Third Party Assistance: Microsoft’s cybersecurity team
Communication Strategy: Transparent communication about the breach's details and response
Incident : Ransomware NOR442050724
Third Party Assistance: Microsoft's cybersecurity team
Remediation Measures: Restoring data from backups
Recovery Measures: Improving cybersecurity posture
Incident : Cyberattack NOR443050724
Third Party Assistance: Microsoft's cybersecurity team
Remediation Measures: Restore data from backup servers
Communication Strategy: Transparent response
Incident : Ransomware NOR307050724
Third Party Assistance: Microsoft's cybersecurity team
Communication Strategy: Full transparency
Incident : Ransomware NOR423051324
Third Party Assistance: Microsoft’s cybersecurity team
Communication Strategy: Transparency
Incident : Ransomware Attack NOR416051424
Third Party Assistance: Microsoft's cybersecurity team
Recovery Measures: Restoration of systems
Communication Strategy: Transparency
Incident : ransomware NOR5602456091025
Incident Response Plan Activated: True
Third Party Assistance: Law Enforcement (Fbi, Europol, Etc.), Cybersecurity Firms (E.G., Bitdefender).
Containment Measures: network isolationpre-encryption notifications by law enforcement
Remediation Measures: data restoration from backupsdecryptor tools (No More Ransomware Project)
Recovery Measures: system rebuildsenhanced security protocols
Communication Strategy: public indictment announcementvictim notifications
Incident : ransomware attack NOR1832118091625
Incident Response Plan Activated: True
Third Party Assistance: Europol, International Law Enforcement Agencies (France, Germany, Netherlands, Norway, Switzerland, Ukraine, Uk, Us).
Communication Strategy: public engagement via EU Most Wanted portalmedia releases by Europol/US DOJ
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Microsoft's cybersecurity team, Microsoft's cybersecurity team, , Microsoft’s cybersecurity team, Microsoft's cybersecurity team, Microsoft's cybersecurity team, Microsoft's cybersecurity team, Microsoft’s cybersecurity team, Microsoft's cybersecurity team, law enforcement (FBI, Europol, etc.), cybersecurity firms (e.g., Bitdefender), , Europol, international law enforcement agencies (France, Germany, Netherlands, Norway, Switzerland, Ukraine, UK, US), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Ransomware NOR442050724
Data Encryption: Files encrypted
Incident : Ransomware Attack NOR416051424
Data Encryption: Files locked by ransomware
Incident : ransomware NOR5602456091025
Type of Data Compromised: Corporate data, Potentially pii/financial data (varies by victim)
Sensitivity of Data: high (industrial/proprietary data, possible PII)
Data Encryption: True
Personally Identifiable Information: likely (in some cases)
Incident : ransomware attack NOR1832118091625
Type of Data Compromised: Sensitive corporate data, Potentially pii
Sensitivity of Data: High (threats of data leakage used for extortion)
Data Encryption: True
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Data restoration from backups, Restoring data from backups, Restore data from backup servers, data restoration from backups, decryptor tools (No More Ransomware Project), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by preventive steps to contain the attack, network isolation, pre-encryption notifications by law enforcement and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Ransomware Attack NOR707050724
Ransom Paid: Not paid
Ransomware Strain: LockerGoga
Data Encryption: Thousands of servers and PCs
Incident : Cyberattack NOR443050724
Ransom Paid: No
Incident : Ransomware NOR307050724
Ransom Demanded: Bitcoins
Ransom Paid: Refused to pay
Ransomware Strain: LockerGoga
Data Encryption: Files encrypted
Incident : Ransomware Attack NOR416051424
Ransom Paid: No
Ransomware Strain: LockerGoga
Data Encryption: Yes
Incident : ransomware NOR5602456091025
Ransomware Strain: LockerGogaMegaCortexNefilim
Data Encryption: True
Data Exfiltration: True
Incident : ransomware attack NOR1832118091625
Ransom Demanded: True
Ransomware Strain: LockerGogaMegaCortexNefilim
Data Encryption: True
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Improving cybersecurity posture, Restoration of systems, system rebuilds, enhanced security protocols, .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : ransomware NOR5602456091025
Legal Actions: U.S. indictment (2024), extradition of affiliate Artem Stryzhak (2024), Europol-led arrests (2021, 2023),
Incident : ransomware attack NOR1832118091625
Legal Actions: US indictment for ransomware administration, French charges for computer crimes, extortion, racketeering,
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through U.S. indictment (2024), extradition of affiliate Artem Stryzhak (2024), Europol-led arrests (2021, 2023), , US indictment for ransomware administration, French charges for computer crimes, extortion, racketeering, .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Ransomware NOR451042824
Lessons Learned: Transparent communication and public trust
Incident : ransomware NOR5602456091025
Lessons Learned: Proactive law enforcement notifications can disrupt ransomware deployment., Decryptor tools (e.g., via No More Ransomware) mitigate damage post-attack., Complex ransomware operations rely on specialized teams (e.g., vulnerability exploitation, lateral movement)., International cooperation is critical for dismantling cybercriminal networks.
What recommendations were made to prevent future incidents ?
Incident : ransomware NOR5602456091025
Recommendations: Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Transparent communication and public trustProactive law enforcement notifications can disrupt ransomware deployment.,Decryptor tools (e.g., via No More Ransomware) mitigate damage post-attack.,Complex ransomware operations rely on specialized teams (e.g., vulnerability exploitation, lateral movement).,International cooperation is critical for dismantling cybercriminal networks.
References
Where can I find more information about each incident ?
Incident : ransomware NOR5602456091025
Source: Bitdefender Threat Research
Incident : ransomware NOR5602456091025
Source: Europol Press Releases (2021, 2023)
Incident : ransomware attack NOR1832118091625
Source: US Department of Justice Indictment
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: U.S. Department of JusticeDate Accessed: 2024-05-28, and Source: Recorded Future NewsDate Accessed: 2024-05-28, and Source: Bitdefender Threat Research, and Source: Europol Press Releases (2021, 2023), and Source: Europol Press ReleaseDate Accessed: 2025-09-09, and Source: EU Most Wanted PortalDate Accessed: 2025-09-09, and Source: US Department of Justice Indictment.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : ransomware NOR5602456091025
Investigation Status: ongoing (Tymoshchuk remains at large; affiliate arrests continue)
Incident : ransomware attack NOR1832118091625
Investigation Status: Ongoing (fugitive at large; international manhunt active)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Daily webcasts and press conferences, Transparency, Transparent communication about the breach's details and response, Transparent response, Full transparency, Transparency, Transparency, Public Indictment Announcement, Victim Notifications, Public Engagement Via Eu Most Wanted Portal and Media Releases By Europol/Us Doj.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : ransomware NOR5602456091025
Stakeholder Advisories: U.S. State Department Reward Notice, Doj/Fbi Public Statements.
Incident : ransomware attack NOR1832118091625
Stakeholder Advisories: Public Urged To Report Tips Via Eu Most Wanted Portal.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were U.S. State Department Reward Notice, Doj/Fbi Public Statements and Public Urged To Report Tips Via Eu Most Wanted Portal.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Ransomware NOR451042824
Entry Point: Phishing Email
Incident : Ransomware Attack NOR707050724
Entry Point: Infected email from a trusted customer
Incident : Ransomware NOR442050724
Entry Point: Infected email
Incident : Cyberattack NOR443050724
Entry Point: Infected Email
Incident : Ransomware NOR307050724
Entry Point: Malicious email
Incident : Ransomware NOR423051324
Entry Point: Trusted customer's infected email
Incident : Ransomware Attack NOR416051424
Entry Point: Infected email from a customer
Incident : ransomware NOR5602456091025
Entry Point: Exploited Vulnerabilities, Pre-Existing Malware (Emotet/Qakbot), Compromised Credentials,
Backdoors Established: True
High Value Targets: Industrial Firms, Healthcare Institutions, Manufacturing Companies,
Data Sold on Dark Web: Industrial Firms, Healthcare Institutions, Manufacturing Companies,
Incident : ransomware attack NOR1832118091625
High Value Targets: Corporate Networks, Sensitive Data,
Data Sold on Dark Web: Corporate Networks, Sensitive Data,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Ransomware NOR451042824
Root Causes: Employee opening infected email
Corrective Actions: Data restoration from backups, third-party support
Incident : Ransomware NOR442050724
Root Causes: Employee opening an infected email
Incident : ransomware NOR5602456091025
Root Causes: Exploitable Vulnerabilities In Exposed Infrastructure., Lack Of Network Segmentation Allowing Lateral Movement., Effective Use Of Pre-Existing Malware (E.G., Emotet) For Initial Access.,
Corrective Actions: Release Of Decryptors Via No More Ransomware Project., International Law Enforcement Operations (Arrests In 2021, 2023)., Public Indictments To Deter Future Attacks.,
Incident : ransomware attack NOR1832118091625
Root Causes: Organized Cybercrime Collaboration, Exploitation Of Network Vulnerabilities, Lack Of Early Detection,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Microsoft's cybersecurity team, Microsoft'S Cybersecurity Team, , Microsoft’s cybersecurity team, Microsoft's cybersecurity team, Microsoft's cybersecurity team, Microsoft's cybersecurity team, Microsoft’s cybersecurity team, Microsoft's cybersecurity team, Law Enforcement (Fbi, Europol, Etc.), Cybersecurity Firms (E.G., Bitdefender), , , Europol, International Law Enforcement Agencies (France, Germany, Netherlands, Norway, Switzerland, Ukraine, Uk, Us), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Data restoration from backups, third-party support, Release Of Decryptors Via No More Ransomware Project., International Law Enforcement Operations (Arrests In 2021, 2023)., Public Indictments To Deter Future Attacks., .
Additional Questions
General Information
Has the company ever paid ransoms ?
Ransom Payment History: The company has Paid ransoms in the past.
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was Bitcoins.
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Name: Volodymyr Viktorovich TymoshchukAliases: ['deadforz', 'Boba', 'msfv', 'farnetwork']Nationality: UkrainianAffiliation: ['LockerGoga', 'MegaCortex', 'Nefilim ransomware groups']Status: fugitiveReward: $11 million (U.S. State Department), Name: Tymoshchuk Volodymyr ViktorovychAliases: ['Deadforz', 'Boba', 'Farnetwork', 'Msfv', 'Volotmsk']Affiliation: Organized crime network (malware developers, intrusion experts, money launderers)Nationality: UkrainianPhysical Description: {'height': '180 cm', 'eye_color': 'brown', 'languages': ['Ukrainian']}Date Of Birth: 1996-10-02Status: Fugitive (wanted by France for computer crimes, extortion and racketeering; US charges for ransomware administration)Bounty: $11 million (US Department of Justice).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on March 2019.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-09.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was $71 million.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Production linesServersPCs and Thousands of servers and PCsProduction lines at some of its 170 plants and and Production LinesManual Operations and serversPCs and and Thousands of servers and PCs and and .
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Microsoft's cybersecurity team, microsoft's cybersecurity team, , Microsoft’s cybersecurity team, Microsoft's cybersecurity team, Microsoft's cybersecurity team, Microsoft's cybersecurity team, Microsoft’s cybersecurity team, Microsoft's cybersecurity team, law enforcement (fbi, europol, etc.), cybersecurity firms (e.g., bitdefender), , europol, international law enforcement agencies (france, germany, netherlands, norway, switzerland, ukraine, uk, us), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were preventive steps to contain the attack and network isolationpre-encryption notifications by law enforcement.
Data Breach Information
Ransomware Information
Regulatory Compliance
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was U.S. indictment (2024), extradition of affiliate Artem Stryzhak (2024), Europol-led arrests (2021, 2023), , US indictment for ransomware administration, French charges for computer crimes, extortion, racketeering, .
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was International cooperation is critical for dismantling cybercriminal networks.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Train employees on recognizing phishing/social engineering tactics., Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs). and Deploy network segmentation to limit lateral movement by attackers..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Europol Press Releases (2021, 2023), U.S. Department of Justice, EU Most Wanted Portal, US Department of Justice Indictment, Europol Press Release, Recorded Future News and Bitdefender Threat Research.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is ongoing (Tymoshchuk remains at large; affiliate arrests continue).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was U.S. State Department reward notice, DOJ/FBI public statements, Public urged to report tips via EU Most Wanted portal, .
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Infected email, Malicious email, Infected email from a customer, Infected email from a trusted customer, Trusted customer's infected email, Infected Email and Phishing Email.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Employee opening infected email, Employee opening an infected email, Exploitable vulnerabilities in exposed infrastructure.Lack of network segmentation allowing lateral movement.Effective use of pre-existing malware (e.g., Emotet) for initial access., organized cybercrime collaborationexploitation of network vulnerabilitieslack of early detection.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Data restoration from backups, third-party support, Release of decryptors via No More Ransomware Project.International law enforcement operations (arrests in 2021, 2023).Public indictments to deter future attacks..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=norsk-hydro' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
