Norsk Hydro, a global aluminum producer, was hit by the LockerGoga ransomware in March 2019.

After initial access through a spear-phishing campaign, the ransomwarespread rapidly across the company’s network, disrupting logistics and production data systems. The company made the strategic decision to shut downaffected OT systems and revert to manual production operations, in somecases using paper copies of orders, to limit the spread of the ransomware andprevent permanent damage.

The operational disruption led to an estimated loss of between $40 million and$75 million. The failure was rooted in widespread lateral connectivity between ITand OT domains.

The LockerGoga wormable ransomware exploited implicit network trust to facilitate its rapid lateral spread.

BlastWave’s microsegmentation would have contained the infection to the initialpoint of compromise (likely an infected IT workstation). Any attempt by the LockerGoga executable to scan the network or propagate to adjacent OT systems(such as the logistical servers or process control HMIs) would have been metwith a cloaked, unresponsive network, as the malware would lack the authenticated identity required to establish a secure tunnel, thereby confining the damageand maintaining the continuity of core OT production.