Norsk Hydro
Company Details
Linkedin ID:
norsk-hydro
Website:
Employees number:
13,095
Number of followers:
374,060
NAICS:
212
Industry Type:
Homepage:
hydro.com
IP Addresses:
10
Company ID:
NOR_9295674
Scan Status:
Completed
Internal validation & live display
Multiple badges & continuous verification
Faster underwriting decisions
Norsk Hydro Vendor Cyber Rating & Cyber Score
hydro.comHydro is a leading industrial company that builds businesses and partnerships for a more sustainable future. We develop industries that matter to people and society. Since 1905, Hydro has turned natural resources into valuable products for people and businesses, creating a safe and secure workplace for our 31,000 employees in more than 140 locations and 40 countries. Today, we own and operate various businesses and have investments with a base in sustainable industries. Hydro is through its businesses present in a broad range of market segments for aluminium, energy, metal recycling, renewables and batteries, offering a unique wealth of knowledge and competence. Hydro is committed to leading the way towards a more sustainable future, creating more viable societies by developing natural resources into products and solutions in innovative and efficient ways.
Norsk Hydro A.I CyberSecurity Scoring
Norsk Hydro Risk Score (AI oriented)Between 650 and 699
Norsk Hydro
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Norsk Hydro Global Score (TPRM)XXXX
Norsk Hydro
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Norsk Hydro Company CyberSecurity News & History
Past Incidents
4
Attack Types
2
Norsk Hydro
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In March, Norsk Hydro, one of the world's largest aluminum companies, experienced a significant cyberattack that shut down production lines across its 170 plants, and led to a switch from computer to manual operations at some of its facilities. The attackers used a malware called 'LockerGoga' to encrypt files on thousands of servers and PCs, affecting all 35,000 employees in 40 countries. The financial impact of the attack reached approximately $71 million. The breach occurred due to an employee opening an infected email, leading to a severe compromise of the company's IT infrastructure. Despite the extensive damage, Norsk Hydro chose not to pay the ransom and instead worked on restoring their data from backups and improving their cybersecurity posture with the help of Microsoft's cybersecurity team.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Norsk Hydro, a global aluminum company, experienced a severe ransomware attack that ceased operations at some of its 170 plants. The breach impacted all 35,000 employees across 40 countries by locking files on thousands of servers and PCs. Initiated by an infected email from a customer, the breach allowed hackers to plant LockerGoga ransomware, leading to financial damages nearing $71 million. The company's transparency and decision not to pay the ransom were acclaimed by security experts, and they leaned on Microsoft's cybersecurity team for recovery and restoration.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: In 2019, Norsk Hydro, a Norwegian aluminum manufacturing giant, fell victim to a LockerGoga ransomware attack orchestrated by Ukrainian national Volodymyr Viktorovich Tymoshchuk. The attack crippled the company’s global operations, forcing a shift to manual processes across 170 sites in 40 countries. Production lines halted, IT systems were encrypted, and employees resorted to pen-and-paper methods, causing operational chaos and financial losses estimated at $75 million in the first week alone. The attack disrupted supply chains, delayed shipments, and required a months-long recovery effort, including full IT infrastructure rebuilds. While no customer or employee data was confirmed stolen, the business outage and reputational damage were severe. The incident also exposed vulnerabilities in critical industrial control systems, prompting industry-wide cybersecurity overhauls. Tymoshchuk’s ransomware strain was designed to maximize disruption, encrypting files and locking users out of systems until ransom demands reportedly in the millions of dollars were met. The attack remains one of the most financially damaging ransomware incidents against a single corporation, illustrating the existential threat such cyberattacks pose to industrial sectors.
Norsk Hydro
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: Norsk Hydro, a Norwegian aluminium and renewable energy company, was one of the most high-profile victims of the LockerGoga ransomware attack in March 2019, orchestrated by the cybercriminal group linked to Tymoshchuk Volodymyr Viktorovych (alias Deadforz). The attack crippled Hydro’s global operations, forcing the shutdown of smelting plants, production lines, and IT systems across 170 sites in 40 countries. Employees reverted to manual processes, causing massive operational disruptions, delayed shipments, and financial losses estimated at $40–71 million in the first week alone. The ransomware encrypted critical files, halting automated production and supply chain coordination.Hydro refused to pay the ransom, instead investing in full system restoration a process that took weeks to months for complete recovery. The attack exposed vulnerabilities in industrial control systems (ICS) and highlighted the catastrophic risk of ransomware on manufacturing sectors. While no direct data breach of customer or employee records was confirmed, the operational paralysis threatened Hydro’s market position and triggered industry-wide alarms about cyber-physical risks in heavy industries. The incident remains a benchmark for ransomware’s potential to disrupt global supply chains and served as a catalyst for stricter cybersecurity regulations in critical infrastructure sectors.
Norsk Hydro Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Norsk Hydro
Incidents vs Mining Industry Average (This Year)
No incidents recorded for Norsk Hydro in 2026.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Norsk Hydro in 2026.
Incident Types Norsk Hydro vs Mining Industry Avg (This Year)
No incidents recorded for Norsk Hydro in 2026.
Incident History — Norsk Hydro (X = Date, Y = Severity)
Norsk Hydro cyber incidents detection timeline including parent company and subsidiaries
Norsk Hydro Company Subsidiaries
Hydro is a leading industrial company that builds businesses and partnerships for a more sustainable future. We develop industries that matter to people and society. Since 1905, Hydro has turned natural resources into valuable products for people and businesses, creating a safe and secure workplace for our 31,000 employees in more than 140 locations and 40 countries. Today, we own and operate various businesses and have investments with a base in sustainable industries. Hydro is through its businesses present in a broad range of market segments for aluminium, energy, metal recycling, renewables and batteries, offering a unique wealth of knowledge and competence. Hydro is committed to leading the way towards a more sustainable future, creating more viable societies by developing natural resources into products and solutions in innovative and efficient ways.
Loading...
Norsk Hydro Similar Companies
AM/NS India is a joint venture between the world's leading steel companies, ArcelorMittal and Nippon Steel. Established in December 2019, post-acquisition of Essar Steel, we are an integrated flat steel manufacturer - from iron ore to ready-to-market products. With over 300 steel grades - many subst
CSN - Companhia Siderúrgica Nacional
Fundada em 1941, a CSN representa um marco no processo de industrialização do Brasil. O seu aço viabilizou a implantação das primeiras indústrias nacionais, núcleo do atual parque fabril brasileiro. Ao longo de mais de oito décadas, a CSN segue fazendo história, sendo hoje um dos mais eficientes com
JSW Steel
Over the last 35 years, we have partnered the country in its journey to self-reliance, by embracing sustainability, adopting cutting-edge technology and having innovation and R&D initiatives at the heart of our culture. From humble beginnings with a single plant in 1982, we are now India's leading m
First Quantum Minerals
First Quantum Minerals Ltd. is a global mining company producing copper and nickel, as well as gold and cobalt. Our growing portfolio of operations and projects spans four continents and employs around 20,000 people. We are well-known for our ‘can do’ attitude and specialist technical, project mana
Tata Steel
Tata Steel group is among the top global steel companies with an annual crude steel capacity of 34 million tonnes per annum. It is one of the world's most geographically-diversified steel producers, with operations and commercial presence across the world. The group (excluding SEA operations) record
Vale
We are a global mining company producing iron ore, pellets, and nickel, and we are committed to becoming one of the safest, most trustworthy mining company in the world. With a workforce of 120,000 employees, we work every day to transform natural resources into prosperity and sustainable developmen
Anglo American is a leading global mining company and our products are the essential ingredients in almost every aspect of modern life. Our portfolio of world-class competitive operations, with a broad range of future development options, provides many of the future-enabling metals and minerals for
Gerdau
With a history spanning 122 years, Gerdau is Brazil's largest steel producer, one of the leading producers of long steel in the Americas and of special steel in the world. In Brazil, Gerdau also produces flat steel and iron ore for its own use. Gerdau also has a new business division, Gerdau Next, w
Sandvik is a global, high-tech engineering group providing solutions that enhance productivity, profitability and sustainability for the manufacturing, mining and infrastructure industries. We are at the forefront of digitalization and focus on optimizing our customers’ processes. Our world-leading
.png)
Norsk Hydro CyberSecurity News
January 22, 2026 08:00 AM
Biggest Manufacturing Industry Cyber Attacks
Look at 10 manufacturing cyber attacks that highlight what threat actors are targeting when it comes to this massive industry.
December 11, 2025 03:54 PM
Securing operational technology in mining
Protecting lives, maximising operational resilience and overcoming the limits of traditional IT cybersecurity. The mining industry is facing an escalating...
September 16, 2025 07:00 AM
Norsk Hydro lost millions in cyberattack: IT security now a top priority
In 2019, Norsk Hydro was hit by a comprehensive cyberattack. ”Make sure you have a backup system,” SVP advises other energy companies.
September 10, 2025 07:00 AM
$10 million bounty issued by US DOJ for ransomware kingpin responsible for $18 billion of damage
The US Department of Justice (DoJ) just placed a bounty on a cybercriminal suspected of a “series” of cyberattacks around the world.
August 15, 2025 07:00 AM
Russian hackers seized control of Norwegian dam, spy chief says
Beate Gangås says attack in April by Norway's 'dangerous neighbour' aimed to cause fear and chaos.
August 13, 2025 07:00 AM
Norway spy chief blames Russian hackers for dam sabotage in April
Russian hackers briefly took control of a dam in Norway earlier this year, the head of the Nordic country's counter-intelligence agency said...
June 30, 2025 07:00 AM
Hackers Breach Norwegian Dam, Triggering Full Valve Opening
Hackers successfully took control of critical operational systems at a dam facility near Risevatnet in Bremanger, Norway, during April.
April 28, 2025 07:00 AM
How to go analogue during a cyber crisis
When ransomware knocks businesses offline, it's often trusty old pen and paper that comes to the rescue. Preparing for this switch to analogue can help...
February 19, 2025 08:00 AM
Burlington Hydro notifies customers personal information may have been exposed in data breach
Ontario's Information and Privacy Commissioner looking into third-party cybersecurity incident.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Norsk Hydro CyberSecurity History Information
Official Website of Norsk Hydro
The official website of Norsk Hydro is http://www.hydro.com.
Norsk Hydro’s AI-Generated Cybersecurity Score
According to Rankiteo, Norsk Hydro’s AI-generated cybersecurity score is 658, reflecting their Weak security posture.
How many security badges does Norsk Hydro’ have ?
According to Rankiteo, Norsk Hydro currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Norsk Hydro been affected by any supply chain cyber incidents ?
According to Rankiteo, Norsk Hydro has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
Does Norsk Hydro have SOC 2 Type 1 certification ?
According to Rankiteo, Norsk Hydro is not certified under SOC 2 Type 1.
Does Norsk Hydro have SOC 2 Type 2 certification ?
According to Rankiteo, Norsk Hydro does not hold a SOC 2 Type 2 certification.
Does Norsk Hydro comply with GDPR ?
According to Rankiteo, Norsk Hydro is not listed as GDPR compliant.
Does Norsk Hydro have PCI DSS certification ?
According to Rankiteo, Norsk Hydro does not currently maintain PCI DSS compliance.
Does Norsk Hydro comply with HIPAA ?
According to Rankiteo, Norsk Hydro is not compliant with HIPAA regulations.
Does Norsk Hydro have ISO 27001 certification ?
According to Rankiteo,Norsk Hydro is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Norsk Hydro
Norsk Hydro operates primarily in the Mining industry.
Number of Employees at Norsk Hydro
Norsk Hydro employs approximately 13,095 people worldwide.
Subsidiaries Owned by Norsk Hydro
Norsk Hydro presently has no subsidiaries across any sectors.
Norsk Hydro’s LinkedIn Followers
Norsk Hydro’s official LinkedIn profile has approximately 374,060 followers.
NAICS Classification of Norsk Hydro
Norsk Hydro is classified under the NAICS code 212, which corresponds to Mining (except Oil and Gas).
Norsk Hydro’s Presence on Crunchbase
No, Norsk Hydro does not have a profile on Crunchbase.
Norsk Hydro’s Presence on LinkedIn
Yes, Norsk Hydro maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/norsk-hydro.
Cybersecurity Incidents Involving Norsk Hydro
As of April 04, 2026, Rankiteo reports that Norsk Hydro has experienced 4 cybersecurity incidents.
Number of Peer and Competitor Companies
Norsk Hydro has an estimated 3,778 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Norsk Hydro ?
Incident Types: The types of cybersecurity incidents that have occurred include Ransomware and Cyber Attack.
What was the total financial impact of these incidents on Norsk Hydro ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $18.24 billion.
How does Norsk Hydro detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with microsoft's cybersecurity team, and remediation measures with restoring data from backups, and recovery measures with improving cybersecurity posture, and third party assistance with microsoft's cybersecurity team, and recovery measures with restoration of systems, and communication strategy with transparency, and and third party assistance with law enforcement (fbi, europol, etc.), third party assistance with cybersecurity firms (e.g., bitdefender), and and containment measures with network isolation, containment measures with pre-encryption notifications by law enforcement, and remediation measures with data restoration from backups, remediation measures with decryptor tools (no more ransomware project), and recovery measures with system rebuilds, recovery measures with enhanced security protocols, and communication strategy with public indictment announcement, communication strategy with victim notifications, and and and third party assistance with europol, third party assistance with international law enforcement agencies (france, germany, netherlands, norway, switzerland, ukraine, uk, us), and and communication strategy with public engagement via eu most wanted portal, communication strategy with media releases by europol/us doj..
Incident Details
Can you provide details on each incident ?
Title: Norsk Hydro Ransomware Attack
Description: A significant cyberattack shut down production lines across Norsk Hydro's 170 plants, switching from computer to manual operations at some facilities. The attackers used 'LockerGoga' malware to encrypt files on thousands of servers and PCs, affecting all 35,000 employees in 40 countries. The breach occurred due to an employee opening an infected email, leading to a severe compromise of the company's IT infrastructure. Despite the extensive damage, Norsk Hydro chose not to pay the ransom and instead worked on restoring their data from backups and improving their cybersecurity posture with the help of Microsoft's cybersecurity team.
Date Detected: March
Type: Ransomware
Attack Vector: Email
Vulnerability Exploited: Phishing
Motivation: Financial
Title: Norsk Hydro Ransomware Attack
Description: Norsk Hydro, a global aluminum company, experienced a severe ransomware attack that ceased operations at some of its 170 plants. The breach impacted all 35,000 employees across 40 countries by locking files on thousands of servers and PCs. Initiated by an infected email from a customer, the breach allowed hackers to plant LockerGoga ransomware, leading to financial damages nearing $71 million. The company's transparency and decision not to pay the ransom were acclaimed by security experts, and they leaned on Microsoft's cybersecurity team for recovery and restoration.
Type: Ransomware Attack
Attack Vector: Infected Email
Motivation: Financial Gain
Title: Indictment of Ukrainian National Volodymyr Viktorovich Tymoshchuk for Ransomware Attacks Using LockerGoga, MegaCortex, and Nefilim
Description: A U.S. federal court unsealed a May 2024 indictment charging Ukrainian national Volodymyr Viktorovich Tymoshchuk (alias: deadforz, Boba, msfv, farnetwork) for his alleged role as an administrator of ransomware strains LockerGoga, MegaCortex, and Nefilim. Between December 2018 and October 2021, Tymoshchuk targeted hundreds of organizations in the U.S. and Europe, causing millions in damages. Notable victims include Norsk Hydro (2019 LockerGoga attack, $104M in damages), Altran, Hexion, and Momentive. Tymoshchuk is currently a fugitive with an $11M U.S. State Department reward for information leading to his arrest. He faces charges including conspiracy to commit fraud, intentional damage to protected computers, and transmitting threats to disclose confidential information. Law enforcement disrupted some attacks by notifying victims pre-encryption. Decryptors for LockerGoga (2022) and MegaCortex (2023) were later released via the No More Ransomware Project. Europol-led operations in 2021 and 2023 resulted in arrests of 12+ affiliates across multiple countries.
Date Publicly Disclosed: 2024-05-28
Type: ransomware
Attack Vector: exploiting known vulnerabilitiespre-existing malware infections (e.g., Emotet, Qakbot)targeted phishing/social engineering
Threat Actor: Name: Volodymyr Viktorovich TymoshchukAliases: ['deadforz', 'Boba', 'msfv', 'farnetwork']Nationality: UkrainianAffiliation: ['LockerGoga', 'MegaCortex', 'Nefilim ransomware groups']Status: fugitiveReward: $11 million (U.S. State Department)
Motivation: financial gain (extortion)
Title: LockerGoga, MegaCortex, and Nefilim Ransomware Campaigns Linked to Fugitive Tymoshchuk Volodymyr Viktorovych
Description: A Ukrainian man, Tymoshchuk Volodymyr Viktorovych (aliases: Deadforz, Boba, Farnetwork, Msfv, Volotmsk), is wanted for deploying LockerGoga, MegaCortex, and Nefilim ransomware between 2018–2021. The campaigns targeted over 250 companies (primarily in the US) and caused an estimated $18 billion in global damages. Victims faced extortion demands or operational disruption. Tymoshchuk is linked to an organized crime network with roles including malware development, intrusion, and money laundering. He remains at large, with a $11 million US bounty for his capture. Several associates have been arrested in Ukraine.
Date Publicly Disclosed: 2025-09-09
Type: ransomware attack
Attack Vector: malware deploymentnetwork intrusiondata encryption
Threat Actor: Name: Tymoshchuk Volodymyr ViktorovychAliases: ['Deadforz', 'Boba', 'Farnetwork', 'Msfv', 'Volotmsk']Affiliation: Organized crime network (malware developers, intrusion experts, money launderers)Nationality: UkrainianPhysical Description: {'height': '180 cm', 'eye_color': 'brown', 'languages': ['Ukrainian']}Date Of Birth: 1996-10-02Status: Fugitive (wanted by France for computer crimes, extortion, racketeering; US charges for ransomware administration)Bounty: $11 million (US Department of Justice)
Motivation: financial gainextortiondisruption of business operations
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Infected email, Infected email from a customer and exploited vulnerabilitiespre-existing malware (Emotet/Qakbot)compromised credentials.
Impact of the Incidents
What was the impact of each incident ?
Incident : Ransomware NOR442050724
Financial Loss: $71 million
Systems Affected: Thousands of servers and PCs
Downtime: Switch from computer to manual operations
Operational Impact: Shutdown of production lines across 170 plants
Incident : Ransomware Attack NOR416051424
Financial Loss: $71 million
Systems Affected: Thousands of servers and PCs
Operational Impact: Ceased operations at some of its 170 plants
Incident : ransomware NOR5602456091025
Financial Loss: $100+ million (estimated, including $104M from LockerGoga alone)
Systems Affected: hundreds of organizations (U.S. and Europe)
Downtime: ['complete disruption of business operations (varies by victim)', 'Norsk Hydro: weeks of recovery']
Operational Impact: severe (encryption of critical systems, halted production)
Brand Reputation Impact: high (publicized attacks on major firms like Norsk Hydro)
Legal Liabilities: potential lawsuits from victimsregulatory fines (if applicable)
Identity Theft Risk: high (if PII was exfiltrated)
Payment Information Risk: high (if financial data was exfiltrated)
Incident : ransomware attack NOR1832118091625
Financial Loss: $18 billion (estimated global damages)
Systems Affected: 250+ companies (primarily in the US) and additional international victims
Operational Impact: network cripplingbusiness disruptiondata leakage threats
Legal Liabilities: potential lawsuits from victimsregulatory penalties
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $4.56 billion.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Corporate Data, Potentially Pii/Financial Data (Varies By Victim), , Sensitive Corporate Data, Potentially Pii and .
Which entities were affected by each incident ?
Incident : Ransomware NOR442050724
Entity Name: Norsk Hydro
Entity Type: Company
Industry: Aluminum
Location: Global (40 countries)
Size: 35,000 employees
Incident : Ransomware Attack NOR416051424
Entity Name: Norsk Hydro
Entity Type: Global Aluminum Company
Industry: Aluminum
Location: 40 countries
Size: 35,000 employees
Incident : ransomware NOR5602456091025
Entity Name: Norsk Hydro
Entity Type: public company
Industry: aluminum manufacturing
Location: Norway
Size: large (global enterprise)
Incident : ransomware NOR5602456091025
Entity Name: Altran
Entity Type: private company
Industry: engineering consulting
Location: France
Size: large
Incident : ransomware NOR5602456091025
Entity Name: Hexion
Entity Type: private company
Industry: chemical manufacturing
Location: U.S.
Size: large
Incident : ransomware NOR5602456091025
Entity Name: Momentive
Entity Type: private company
Industry: materials science/manufacturing
Location: U.S.
Size: large
Incident : ransomware NOR5602456091025
Entity Name: 250+ U.S. companies (unspecified)
Industry: healthcare, industrial, manufacturing, other sectors
Location: U.S.
Incident : ransomware NOR5602456091025
Entity Name: Hundreds of European organizations (unspecified)
Location: Europe
Incident : ransomware attack NOR1832118091625
Entity Type: private companies, enterprises
Location: United StatesFranceGermanyNetherlandsNorwaySwitzerlandUkraineUnited Kingdomother international victims
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Ransomware NOR442050724
Third Party Assistance: Microsoft's cybersecurity team
Remediation Measures: Restoring data from backups
Recovery Measures: Improving cybersecurity posture
Incident : Ransomware Attack NOR416051424
Third Party Assistance: Microsoft's cybersecurity team
Recovery Measures: Restoration of systems
Communication Strategy: Transparency
Incident : ransomware NOR5602456091025
Incident Response Plan Activated: True
Third Party Assistance: Law Enforcement (Fbi, Europol, Etc.), Cybersecurity Firms (E.G., Bitdefender).
Containment Measures: network isolationpre-encryption notifications by law enforcement
Remediation Measures: data restoration from backupsdecryptor tools (No More Ransomware Project)
Recovery Measures: system rebuildsenhanced security protocols
Communication Strategy: public indictment announcementvictim notifications
Incident : ransomware attack NOR1832118091625
Incident Response Plan Activated: True
Third Party Assistance: Europol, International Law Enforcement Agencies (France, Germany, Netherlands, Norway, Switzerland, Ukraine, Uk, Us).
Communication Strategy: public engagement via EU Most Wanted portalmedia releases by Europol/US DOJ
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Microsoft's cybersecurity team, Microsoft's cybersecurity team, law enforcement (FBI, Europol, etc.), cybersecurity firms (e.g., Bitdefender), , Europol, international law enforcement agencies (France, Germany, Netherlands, Norway, Switzerland, Ukraine, UK, US), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Ransomware NOR442050724
Data Encryption: Files encrypted
Incident : Ransomware Attack NOR416051424
Data Encryption: Files locked by ransomware
Incident : ransomware NOR5602456091025
Type of Data Compromised: Corporate data, Potentially pii/financial data (varies by victim)
Sensitivity of Data: high (industrial/proprietary data, possible PII)
Data Encryption: True
Personally Identifiable Information: likely (in some cases)
Incident : ransomware attack NOR1832118091625
Type of Data Compromised: Sensitive corporate data, Potentially pii
Sensitivity of Data: High (threats of data leakage used for extortion)
Data Encryption: True
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Restoring data from backups, data restoration from backups, decryptor tools (No More Ransomware Project), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by network isolation, pre-encryption notifications by law enforcement and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Ransomware Attack NOR416051424
Ransom Paid: No
Ransomware Strain: LockerGoga
Data Encryption: Yes
Incident : ransomware NOR5602456091025
Ransomware Strain: LockerGogaMegaCortexNefilim
Data Encryption: True
Data Exfiltration: True
Incident : ransomware attack NOR1832118091625
Ransom Demanded: True
Ransomware Strain: LockerGogaMegaCortexNefilim
Data Encryption: True
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Improving cybersecurity posture, Restoration of systems, system rebuilds, enhanced security protocols, .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : ransomware NOR5602456091025
Legal Actions: U.S. indictment (2024), extradition of affiliate Artem Stryzhak (2024), Europol-led arrests (2021, 2023),
Incident : ransomware attack NOR1832118091625
Legal Actions: US indictment for ransomware administration, French charges for computer crimes, extortion, racketeering,
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through U.S. indictment (2024), extradition of affiliate Artem Stryzhak (2024), Europol-led arrests (2021, 2023), , US indictment for ransomware administration, French charges for computer crimes, extortion, racketeering, .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : ransomware NOR5602456091025
Lessons Learned: Proactive law enforcement notifications can disrupt ransomware deployment., Decryptor tools (e.g., via No More Ransomware) mitigate damage post-attack., Complex ransomware operations rely on specialized teams (e.g., vulnerability exploitation, lateral movement)., International cooperation is critical for dismantling cybercriminal networks.
What recommendations were made to prevent future incidents ?
Incident : ransomware NOR5602456091025
Recommendations: Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.Implement robust backup and recovery plans to mitigate ransomware impact., Monitor for known vulnerabilities and patch exposed infrastructure promptly., Deploy network segmentation to limit lateral movement by attackers., Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Train employees on recognizing phishing/social engineering tactics.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Proactive law enforcement notifications can disrupt ransomware deployment.,Decryptor tools (e.g., via No More Ransomware) mitigate damage post-attack.,Complex ransomware operations rely on specialized teams (e.g., vulnerability exploitation, lateral movement).,International cooperation is critical for dismantling cybercriminal networks.
References
Where can I find more information about each incident ?
Incident : ransomware NOR5602456091025
Source: Bitdefender Threat Research
Incident : ransomware NOR5602456091025
Source: Europol Press Releases (2021, 2023)
Incident : ransomware attack NOR1832118091625
Source: US Department of Justice Indictment
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: U.S. Department of JusticeDate Accessed: 2024-05-28, and Source: Recorded Future NewsDate Accessed: 2024-05-28, and Source: Bitdefender Threat Research, and Source: Europol Press Releases (2021, 2023), and Source: Europol Press ReleaseDate Accessed: 2025-09-09, and Source: EU Most Wanted PortalDate Accessed: 2025-09-09, and Source: US Department of Justice Indictment.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : ransomware NOR5602456091025
Investigation Status: ongoing (Tymoshchuk remains at large; affiliate arrests continue)
Incident : ransomware attack NOR1832118091625
Investigation Status: Ongoing (fugitive at large; international manhunt active)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Transparency, Public Indictment Announcement, Victim Notifications, Public Engagement Via Eu Most Wanted Portal and Media Releases By Europol/Us Doj.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : ransomware NOR5602456091025
Stakeholder Advisories: U.S. State Department Reward Notice, Doj/Fbi Public Statements.
Incident : ransomware attack NOR1832118091625
Stakeholder Advisories: Public Urged To Report Tips Via Eu Most Wanted Portal.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were U.S. State Department Reward Notice, Doj/Fbi Public Statements and Public Urged To Report Tips Via Eu Most Wanted Portal.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Ransomware NOR442050724
Entry Point: Infected email
Incident : Ransomware Attack NOR416051424
Entry Point: Infected email from a customer
Incident : ransomware NOR5602456091025
Entry Point: Exploited Vulnerabilities, Pre-Existing Malware (Emotet/Qakbot), Compromised Credentials,
Backdoors Established: True
High Value Targets: Industrial Firms, Healthcare Institutions, Manufacturing Companies,
Data Sold on Dark Web: Industrial Firms, Healthcare Institutions, Manufacturing Companies,
Incident : ransomware attack NOR1832118091625
High Value Targets: Corporate Networks, Sensitive Data,
Data Sold on Dark Web: Corporate Networks, Sensitive Data,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Ransomware NOR442050724
Root Causes: Employee opening an infected email
Incident : ransomware NOR5602456091025
Root Causes: Exploitable Vulnerabilities In Exposed Infrastructure., Lack Of Network Segmentation Allowing Lateral Movement., Effective Use Of Pre-Existing Malware (E.G., Emotet) For Initial Access.,
Corrective Actions: Release Of Decryptors Via No More Ransomware Project., International Law Enforcement Operations (Arrests In 2021, 2023)., Public Indictments To Deter Future Attacks.,
Incident : ransomware attack NOR1832118091625
Root Causes: Organized Cybercrime Collaboration, Exploitation Of Network Vulnerabilities, Lack Of Early Detection,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Microsoft's cybersecurity team, Microsoft's cybersecurity team, Law Enforcement (Fbi, Europol, Etc.), Cybersecurity Firms (E.G., Bitdefender), , , Europol, International Law Enforcement Agencies (France, Germany, Netherlands, Norway, Switzerland, Ukraine, Uk, Us), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Release Of Decryptors Via No More Ransomware Project., International Law Enforcement Operations (Arrests In 2021, 2023)., Public Indictments To Deter Future Attacks., .
Additional Questions
General Information
Has the company ever paid ransoms ?
Ransom Payment History: The company has Paid ransoms in the past.
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was True.
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Name: Volodymyr Viktorovich TymoshchukAliases: ['deadforz', 'Boba', 'msfv', 'farnetwork']Nationality: UkrainianAffiliation: ['LockerGoga', 'MegaCortex', 'Nefilim ransomware groups']Status: fugitiveReward: $11 million (U.S. State Department), Name: Tymoshchuk Volodymyr ViktorovychAliases: ['Deadforz', 'Boba', 'Farnetwork', 'Msfv', 'Volotmsk']Affiliation: Organized crime network (malware developers, intrusion experts, money launderers)Nationality: UkrainianPhysical Description: {'height': '180 cm', 'eye_color': 'brown', 'languages': ['Ukrainian']}Date Of Birth: 1996-10-02Status: Fugitive (wanted by France for computer crimes, extortion and racketeering; US charges for ransomware administration)Bounty: $11 million (US Department of Justice).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on March.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-09.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was $71 million.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Thousands of servers and PCs and and .
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Microsoft's cybersecurity team, Microsoft's cybersecurity team, law enforcement (fbi, europol, etc.), cybersecurity firms (e.g., bitdefender), , europol, international law enforcement agencies (france, germany, netherlands, norway, switzerland, ukraine, uk, us), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was network isolationpre-encryption notifications by law enforcement.
Data Breach Information
Ransomware Information
What was the highest ransom demanded in a ransomware incident ?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was True.
Regulatory Compliance
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was U.S. indictment (2024), extradition of affiliate Artem Stryzhak (2024), Europol-led arrests (2021, 2023), , US indictment for ransomware administration, French charges for computer crimes, extortion, racketeering, .
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was International cooperation is critical for dismantling cybercriminal networks.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Participate in threat intelligence sharing (e.g., with law enforcement, ISACs)., Deploy network segmentation to limit lateral movement by attackers., Train employees on recognizing phishing/social engineering tactics., Implement robust backup and recovery plans to mitigate ransomware impact. and Monitor for known vulnerabilities and patch exposed infrastructure promptly..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are US Department of Justice Indictment, Recorded Future News, Europol Press Release, Bitdefender Threat Research, EU Most Wanted Portal, U.S. Department of Justice, Europol Press Releases (2021 and 2023).
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is ongoing (Tymoshchuk remains at large; affiliate arrests continue).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was U.S. State Department reward notice, DOJ/FBI public statements, Public urged to report tips via EU Most Wanted portal, .
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Infected email and Infected email from a customer.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Employee opening an infected email, Exploitable vulnerabilities in exposed infrastructure.Lack of network segmentation allowing lateral movement.Effective use of pre-existing malware (e.g., Emotet) for initial access., organized cybercrime collaborationexploitation of network vulnerabilitieslack of early detection.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Release of decryptors via No More Ransomware Project.International law enforcement operations (arrests in 2021, 2023).Public indictments to deter future attacks..
.png)
Latest Global CVEs (Not Company-Specific)
Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers assume that the history index is always available and call blockchain.history_store.history_index().unwrap() directly. That assumption is false by construction. HistoryStoreProxy::history_index() explicitly returns None for the valid HistoryStoreProxy::WithoutIndex state. when a full node is syncing or otherwise running without the history index, a remote peer can send RequestTransactionsProof or RequestTransactionReceiptsByAddress and trigger an Option::unwrap() panic on the request path. This issue has been patched in version 1.3.0.
Risk Information
cvss3
Base: 5.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.
Risk Information
cvss3
Base: 8.6
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.
Risk Information
cvss3
Base: 9.1
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97.
Risk Information
cvss3
Base: 9.1
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage. This issue has been patched in version 4.5.90.
Risk Information
cvss3
Base: 6.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=norsk-hydro' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
