Norsk Hydro LockerGoga ransomware

In the early hours of 19 March 2019, Norsk Hydro — one of the world's largest aluminium producers, with operations in over 40 countries — discovered that the LockerGoga ransomware was encrypting its global IT estate. Within hours, Hydro had taken the unusual decision to disconnect all global IT systems to halt the spread, then held a televised press conference in its Oslo headquarters lobby to publicly explain what had happened and to commit to not paying the ransom.

The Hydro response became the gold-standard editorial template for transparent ransomware communication.

What happened

LockerGoga operators entered Hydro's network in approximately December 2018 via a spearphishing email with a trojanized invoice attachment that dropped a Cobalt Strike beacon. Over the following three months they:

• Established persistence across Hydro's Active Directory environment.
• Obtained domain administrator credentials.
• Mapped Hydro's global IT estate spanning operations in Norway, Germany, the Netherlands, the United States, Brazil, Australia, and 35+ other countries.

At 23:30 CET on 18 March 2019, the operators deployed LockerGoga. Unlike modern ransomware, LockerGoga had no "double extortion" component — no data exfiltration prior to encryption, no leak site. It was pure encryption-and-ransom, with a comparatively simple deployment via SMB shares and Active Directory.

By 06:00 CET on 19 March, Hydro's overnight IT operations team in Oslo had detected the encryption underway. Hydro's response was unusually decisive:

• Immediate global IT disconnect: all systems isolated from each other and from external networks within hours.
• Manual operations: aluminium smelters continued production using standby manual procedures; extrusion plants and customer-facing operations reverted to paper.
• Public press conference within hours: held in Hydro's Oslo lobby, broadcast on Norwegian national television, with CFO Eivind Kallevik speaking directly to the camera.

The transparent response

Kallevik's press conference established what subsequent ransomware-incident communications would aspire to:

• Direct acknowledgement of the attack as ransomware, by name.
• Explicit statement that Hydro would not pay.
• Concrete operational status: which plants were affected, which were operating manually, what customers should expect.
• Daily public briefings for the following weeks as recovery progressed.

The decision not to pay was made on day one and held through the recovery. Hydro's insurance covered approximately NOK 30 million (~$3.6 million) of the eventual cost — a small fraction of the total. Most of the cost was uninsured.

Operations on paper

The most-cited operational detail from the Hydro response was the return to paper-based operations at extrusion plants. Plant managers across Europe and North America:

• Took customer orders by phone.
• Tracked production using hand-written shift sheets.
• Sent samples and quality data via courier rather than email.
• Reverted to pre-IT manufacturing procedures that many older employees still remembered from their early careers.

Aluminium smelting itself continued without interruption — the smelting process operates on dedicated industrial-control systems that were not affected by the LockerGoga encryption, and the procedural manuals for full-manual operation had been preserved. The downstream extrusion and customer-facing operations were the disrupted layers.

Impact

• ~22,000 employees affected by IT downtime across 40+ countries.
• All-up cost to Hydro for the calendar year: NOK 800 million ($75 million USD).
• Insurance coverage: ~$3.6 million (only a small share of the loss).
• No data exfiltrated or leaked — LockerGoga did not have a data-leakage component, and no subsequent leak occurred.

Attribution

LockerGoga's operators were not publicly attributed at the time of the Hydro attack. The same operation hit Altran Technologies (France), Hexion, and Momentive in early 2019, and was associated with the MegaCortex ransomware family that followed.

In September 2025, the U.S. DOJ unsealed an indictment against Ukrainian national Volodymyr Tymoshchuk (online persona "Deus") for the LockerGoga and MegaCortex operations. Tymoshchuk remains a fugitive in Russia per public reporting.

Why it matters

Norsk Hydro is the canonical case for transparent ransomware incident communication. It established:

• That public refusal to pay is operationally survivable, given strong leadership commitment and the operational maturity to revert to manual processes.
• That direct CFO/CEO press-conference communication during the first day of an active incident is reputationally beneficial. Hydro's customer trust did not collapse; its share price recovered within weeks; the company's brand emerged enhanced rather than damaged.
• That legacy operational procedures matter: Hydro could revert to paper because the procedures still existed and older employees still knew them. Organisations that have fully eliminated manual fallback procedures cannot replicate this response.
• That insurance coverage of ransomware events is structurally limited. Hydro's $75M loss against $3.6M coverage is a representative ratio for early-2019 cyber policies and a key driver of subsequent insurance-market repricing.

The Hydro response is required reading in incident-communication training and is the most-cited positive example in the canon. Subsequent transparent responses by Maersk (NotPetya), HSE Ireland (Conti), Royal Mail (LockBit), and Medibank (REvil-affiliated) all explicitly cited Hydro as their reference template.