Norsk Hydro
When LockerGoga encrypted the Norwegian aluminum giant's entire IT estate, the company refused to pay and instead invited journalists into the war room.
In the early hours of March 19, 2019, the Norwegian aluminum producer Norsk Hydro discovered that ransomware called LockerGoga had encrypted file shares and laptops across most of its global operations. The company employed roughly 35,000 people in forty countries. Smelters that ran twenty-four hours a day were now being operated by staff reading paper printouts of laminated emergency procedures.
A press conference, not a press release
What made Norsk Hydro's response unusual was its visibility. Within hours, the company published a public webcam stream from its head office, held an on-camera press conference, and walked the BBC and others through what was happening as it happened. It refused to pay the ransom. The company's CFO, Eivind Kallevik, became the face of a different model of breach communication than the industry had been used to.
The technical recovery took months and cost roughly seventy million dollars in lost margin and remediation. The attackers — later linked to a Russian crew distributing LockerGoga — netted nothing.
Where the playbook came from
Norsk Hydro had run cyber tabletop exercises with the Norwegian intelligence services in the years prior. The exercises had emphasized continuity of operations during a total IT loss and presumed transparent external communication. When the actual incident arrived, the company executed the plan it had practiced.
What the chronicle remembers
Norsk Hydro is the case the industry now points to when arguing that declining to pay is a viable strategy. The total cost was lower than estimates of what a paid ransom plus remediation would have been, and the reputational outcome was the inverse of what corporate communications playbooks of the time would have predicted.