Norsk Hydro, a Norwegian aluminium and renewable energy company, was one of the most high-profile victims of the **LockerGoga ransomware** attack in **March 2019**, orchestrated by the cybercriminal group linked to **Tymoshchuk Volodymyr Viktorovych (alias Deadforz)**. The attack crippled Hydro’s global operations, forcing the shutdown of **smelting plants, production lines, and IT systems** across **170 sites in 40 countries**. Employees reverted to manual processes, causing **massive operational disruptions**, delayed shipments, and financial losses estimated at **$40–71 million** in the first week alone. The ransomware encrypted critical files, halting automated production and supply chain coordination.Hydro refused to pay the ransom, instead investing in **full system restoration**—a process that took **weeks to months** for complete recovery. The attack exposed vulnerabilities in industrial control systems (ICS) and highlighted the **catastrophic risk of ransomware on manufacturing sectors**. While no **direct data breach** of customer or employee records was confirmed, the **operational paralysis** threatened Hydro’s market position and triggered industry-wide alarms about cyber-physical risks in heavy industries. The incident remains a benchmark for **ransomware’s potential to disrupt global supply chains** and served as a catalyst for stricter cybersecurity regulations in critical infrastructure sectors.
Source: https://hackread.com/lockergoga-ransomware-eu-most-wanted-list-doj-reward/
TPRM report: https://www.rankiteo.com/company/norsk-hydro
"id": "nor1832118091625",
"linkid": "norsk-hydro",
"type": "Ransomware",
"date": "3/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['United States',
'France',
'Germany',
'Netherlands',
'Norway',
'Switzerland',
'Ukraine',
'United Kingdom',
'other international victims'],
'type': ['private companies', 'enterprises']}],
'attack_vector': ['malware deployment',
'network intrusion',
'data encryption'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'High (threats of data leakage used '
'for extortion)',
'type_of_data_compromised': ['sensitive corporate data',
'potentially PII']},
'date_publicly_disclosed': '2025-09-09',
'description': 'A Ukrainian man, Tymoshchuk Volodymyr Viktorovych (aliases: '
'Deadforz, Boba, Farnetwork, Msfv, Volotmsk), is wanted for '
'deploying LockerGoga, MegaCortex, and Nefilim ransomware '
'between 2018–2021. The campaigns targeted over 250 companies '
'(primarily in the US) and caused an estimated $18 billion in '
'global damages. Victims faced extortion demands or '
'operational disruption. Tymoshchuk is linked to an organized '
'crime network with roles including malware development, '
'intrusion, and money laundering. He remains at large, with a '
'$11 million US bounty for his capture. Several associates '
'have been arrested in Ukraine.',
'impact': {'data_compromised': True,
'financial_loss': '$18 billion (estimated global damages)',
'legal_liabilities': ['potential lawsuits from victims',
'regulatory penalties'],
'operational_impact': ['network crippling',
'business disruption',
'data leakage threats'],
'systems_affected': '250+ companies (primarily in the US) and '
'additional international victims'},
'initial_access_broker': {'high_value_targets': ['corporate networks',
'sensitive data']},
'investigation_status': 'Ongoing (fugitive at large; international manhunt '
'active)',
'motivation': ['financial gain',
'extortion',
'disruption of business operations'],
'post_incident_analysis': {'root_causes': ['organized cybercrime '
'collaboration',
'exploitation of network '
'vulnerabilities',
'lack of early detection']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': True,
'ransomware_strain': ['LockerGoga', 'MegaCortex', 'Nefilim']},
'references': [{'date_accessed': '2025-09-09',
'source': 'Europol Press Release'},
{'date_accessed': '2025-09-09',
'source': 'EU Most Wanted Portal'},
{'source': 'US Department of Justice Indictment'}],
'regulatory_compliance': {'legal_actions': ['US indictment for ransomware '
'administration',
'French charges for computer '
'crimes, extortion, '
'racketeering']},
'response': {'communication_strategy': ['public engagement via EU Most Wanted '
'portal',
'media releases by Europol/US DOJ'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['Europol',
'international law enforcement '
'agencies (France, Germany, '
'Netherlands, Norway, Switzerland, '
'Ukraine, UK, US)']},
'stakeholder_advisories': ['Public urged to report tips via EU Most Wanted '
'portal'],
'threat_actor': {'affiliation': 'Organized crime network (malware developers, '
'intrusion experts, money launderers)',
'aliases': ['Deadforz',
'Boba',
'Farnetwork',
'Msfv',
'Volotmsk'],
'bounty': '$11 million (US Department of Justice)',
'date_of_birth': '1996-10-02',
'name': 'Tymoshchuk Volodymyr Viktorovych',
'nationality': 'Ukrainian',
'physical_description': {'eye_color': 'brown',
'height': '180 cm',
'languages': ['Ukrainian']},
'status': 'Fugitive (wanted by France for computer crimes, '
'extortion, racketeering; US charges for '
'ransomware administration)'},
'title': 'LockerGoga, MegaCortex, and Nefilim Ransomware Campaigns Linked to '
'Fugitive Tymoshchuk Volodymyr Viktorovych',
'type': ['ransomware attack', 'extortion', 'organized cybercrime']}