Recent Ransomware Attacks: Last Week’s Overview

In this article, we bring in the week’s news on the latest ransomware activities, with effects varying across different cases. Most organisations are still coping with the aftermath of these attacks, facing severe hardships. However, there are also few that did manage to recover their services and have repelled the attack.


“We Lost $52 Million,” Claimed by Norsk Hydro

The Norwegian giant Norsk Hydro finally revealed just how devastating the cyberattack in March was to the firm. Through the official announcement, CEO Svein Richard Brandtzæg stated that the company lost close to $52 million as a result of the ransomware. “The cyberattack that hit us on March 19 has affected our entire global organisation, with Extruded Solutions having suffered the most significant operational challenges and financial losses.”

Although the company has cyber insurance, still sales figures suffered greatly. In 2019, Hydro’s quarterly Extruded Solutions unit declined to 333,000 tonnes, 8% down compared to the last year. Additionally, the company stated that it planned for a decline in volumes in this quarter. However, the ransomware attack further decreased unit sales, causing a major loss for the company.

At the same time, CEO Brandtzæg stated that other departments, including bauxite & alumina, primary metal, rolled products and energy, remained relatively unaffected by the crisis. The production remained stable, with actual sales volumes differing little from planned figures.

However, the IT sector is a different story. “IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” Brandtzæg said.

According to various sources, the Lockergoga ransomware is to blame for Norsk Hydro’s situation. The attack itself came after the recent environment-related protests in Brazil regarding the misuse of the natural environment by the company. On March 19th, the ransomware attack took over the organisation’s files, while management refused to pay ransom for their decryption.


Indian Power Supply Utilities hit by Ransomware Attack

On May 2nd, two Indian power supply utilities, Telangana and Andhra Pradesh, experienced ransomware attacks.  Both organisations’ systems are maintained by Tata Consultancy Services (TCS) from Hyderabad. Attackers demanded ransom payments from victims, threatening to either block datasets or release them to the public if demands are not met. Country’s law enforcement has confirmed that all servers were down.

The ransomware was admitted to the system through an email. One of the TCS organisation’s staff members possibly clicked the provided link, spreading the virus and locking computers. The state-owned facilities did not experience data losses due to the existent backup of their files. All services remained operational, with the only exception being the corporate ATM payments system. Both power-oriented organisations were affected by the attack as they share the same service maintenance partner.










As part of the data recovery process, TCS filed a complaint with Cyber Crime Police Station in Hyderabad.  According to the PTI report, attackers demanded a cryptocurrency called bitcoin for the decryption code.

They (ransomware attackers) demanded six Bitcoins. Normally the attackers leave a link for paying the ransom. In this case, the websites were restored to normality even before they sent the link. We are continuing our investigation,” said the Additional Deputy Commissioner of Police (Cyber Crimes) KCS Raghu Vir.

So far, there are no further details to the case because police officials are in the midst of ransomware attack investigation.


A2 Hosting Services Still not Available

A week following the ransomware attack, US-based web hosting provider A2 Hosting still faces issues with services. According to the ZDNet report, crippled operations brought about the dissatisfaction amongst the client base. The attack took place on April 23rd, leading towards a week-long downtime that A2 staff could not resolve.

One of the customers brought questions regarding the company’s security systems. “My business and all my hard work have been gutted within eight days by a hosting company that clearly did not have robust security in place,” he said. “Since the hack, A2 has provided zero information regarding my websites and database. I mean nothing, zero, zilch. I have been left to wait for an hour on hold calling support, to be told we understand your frustrations, but we cannot give you an ETA.”

The attack was carried out within the Singapore-based data centre, spreading towards other Windows server units. A2 took steps to ensure the safety of clients’ networks by shutting down all of its servers but some customers did experience the encryption of their files with a .lock extension. Lawrence Abrams, malware analyst and founder of Bleeping Computer, stated that GlobeImposter 2.0 ransomware strain might be to blame.

Since the incident, A2 representatives maintained the status page, listing out available services in the aftermath of the ransomware attack. So far, US and EU Windows services are fully operational while Singaporean data centre remains down. Data theft motivation remains unclear, with customers impatiently waiting for answers from the company.


Citycomp Lost Crucial Financial Data from Several Large Companies

In April 2019, the German-based IT services provider, Citycomp, experienced a ransomware attack. In a recent press release, the management of the company stated that they succeeded to defect the cyberattack, refusing to pay ransom to hackers. Citycomp, in cooperation with external experts and the State Criminal Police Office of Baden-Württember, implemented security measures, countering the ransomware attack. The company announced that partner systems were not affected at any point of time.

The incident analysis of Deutor Cyber Security Solutions GmbH, G DATA Advanced Analytics GmbH and the Federal State Police Baden-Württemberg showed that at no point any indication for a risk of further infection of customer and partner systems, but for security reasons some of the systems have nevertheless been disconnected.”

However, the still-unknown hacker(s) managed to nab financial data from large companies that were part of the firm’s client base. These include Oracle, Airbus, Toshiba, and Volkswagen. Since the organisation refused to comply with hackers’ demands, customers’ financial data has been published. Dan Tuchler, chief marketing officer at SecurityFirst Corp. stated that although Citycomp has been transparent throughout the whole process, it inevitably took a blow to its reputation.


Verint Systems Defends against Ransomware

Interestingly, Long Island’s cybersecurity firm Verint Systems Inc. was a target of a ransomware attack on April 16th. In the following weeks, the company announced that the attack was successfully repelled, with no data losses or a slowdown of their servers. The firm explained that it protected itself partially through own safety measures. The ransomware itself was detected within 24 hours by the office employees located in Israel, while customer datasets remained safe.











Confirming the attack to Israel’s news platforms TheMarker, Verint officials mentioned that “the company’s defence system identified the attack immediately after it began.” Peter Fante, Verint CAO, went on by explaining that Verint’s Threat Protection System (TPS) pointed out “lateral movement trails and attempts to connect to command and control servers.” With the threat located early on, the firm’s security officers managed to shut down the system and remove the threat within 24 hours.

The nature of the attack is unknown at this point and neither are hacker’s motivations. According to the Ctech analysis, the timing of the attack was at night of April 16th. This is possibly a deliberate move by hackers, since most of the Verint’s executives were travelling outside of the country.


Cleveland Airport’s Officials Finally Talk

After the initial ransomware attack, the Cleveland airport officials have finally spoken out regarding the April 22nd ransomware attack. The incident saw computer systems that ran information screens on the airport shut down. Cleveland’s Mayor Administration continuously downplayed the incident throughout the last week. At the same time, flight and baggage information screens remained to be shut off.

Following the public inquiry, Cleveland’s Chief Information Officer Donald Phillips stated that the organisation did not have intentions on misleading the public. “We were giving you what we knew at the time,” he said. Additionally, Phillips acknowledged that ransomware is to blame for the blank screens. This is the first time airport authorities have pointed out the cyberattack as the main source of the incident.

The malware offered a link for administration to follow but staff members did not respond to it. Instead, the organisation moved to fix the problem by contacting the FBI for further assistance. The official also stated that hackers did not have ransom demands, leaving their motivations unknown. All boards are back online since April 29th. FBI officials made a remark that prosecution of the responsible attackers may take a long time to finalise.


Systems Still Down at Daviess Co. Library

The situation at the Daviess County Public Library seems to indicate that the organisation is at the stand-still. Stuck with server restoration, the Daviess Public Library will feel the effects of the ransomware for a prolonged period of time. Library Director Erin Waller stated that the organisation is putting efforts into “putting back-up systems back into the place, recovering catalogues, and getting patron information updated.”

Currently, each person can fill out only 15 or fewer item requests, significantly slowing down the order process. Thus, the Daviess County Public Library Board of Directors called for an emergency meeting regarding the cyberattack on May 2nd. “We needed the board to vote on and approve three measures geared towards patron satisfaction,” said Library Director Erin Waller. Management decided to cancel all remaining fees under $25 as a “thank you” gift for community’s patience.

If we didn’t do this, the rebooted system would show paid fines as unpaid,” Waller said. “Most of the fines and fees were paid, so we do have that money. We just don’t have that record. Anything we may incur in terms of extra fees from consultants, vendors or employee overtime we hope to have offset through CHUBB.”

However, the representative elaborated that such a move would not mean a major financial blow to the Daviess Library. All files were encrypted by the Cryptolocker ransomware, while attackers demanded payments expressed in cryptocurrency. The Daviess Country representatives mentioned that hackers wanted $30,947, which management refused to pay. Staff members noticed the attack on Sunday, April 8th  while the Daviess County Library remains closed for the duration of the data centre restoration.


Ransomware Attack on Biopharma Company

Cyber criminals are lately targeting pharma businesses, with the latest example being Charles River Co. Occurring in March 2019, the firm’s management finally decided to go public with an announcement regarding the attack. Filling the report to the Securities & Exchange Commission (SEC), the company stated that all points of entry used in the attack are now closed. Moreover, the incident itself was caused by “highly sophisticated, well-resourced intruder,” shutting down organisation’s servers.

So far, the data remains intact, with no evidence of hackers stealing data from Charles River. The management ensured the public that all relevant parties will be contacted regarding the security breach. With financial impacts unknown, the pharma business is in the midst of system’s decryption. However, the company’s officials did not provide details regarding ransom demands.

Promptly upon detection of unusual activity in its information systems in mid-March, the company commenced an investigation into this incident, coordinated with US federal law enforcement, and engaged leading cybersecurity experts,” as stated by Charles River in the SEC filing.



In most cases, ransomware attacks can leave lasting effects on organisations. Norsk Hydro, Daviess Co. Library, A2, and Citycomp all have to endure the server downtime, with their reputations on the line. Furthermore, cyber criminals usually leave very little amount of traces, putting law enforcement on a search for attackers for weeks and even months.

Thus, examples like Verint are important to follow. Cloud backup of data is a crucial layer of protection for when a system experiences an encryption attack. Files safely copied away from the computer storage can be used to restore the network.

BOBcloud can backup any of your systems running Microsoft, MAC or Linux. We also have modules to backup OneDrive, Exchange and SharePoint on Office 365.


2 responses to “Recent Ransomware Attacks: Last Week’s Overview”

  1. John Mathews says:

    Ouch! A lot of cybercrime

  2. John Mathews says:

    Useful content which gets to the point

Leave a Reply

Your email address will not be published. Required fields are marked *
The Old Sorting Office, Corsham, Wiltshire SN13 9AA
Tel: 0800 907 8238