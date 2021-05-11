Volue AS A, a Norwegian company that provides technology to European energy and infrastructure firms, is working to restore critical software services to customers after a ransomware attack on May 4 and 5, days before Colonial Pipeline Co. disclosed a ransomware attack that shut down the largest fuel pipeline in the U.S.

The two attacks highlight the prominence of energy and critical infrastructure firms as targets for ransomware.

In the Volue attack, ransomware shut down applications providing infrastructure to water and wastewater facilities in 200 Norwegian municipalities, covering around 85% of the country’s population. Seeking to prevent the ransomware from spreading to other computer systems, the company shut down all other applications that it hosts and quarantined around 200 employee devices. Volue says it has 2,000 customers in 44 countries.

Norway’s KraftCERT, the cybersecurity response unit for the energy and water sectors, advised all Volue customers to shut off their connections to the company’s applications and reset credentials.

Investigators identified the Ryuk ransomware in Volue’s computer systems. A different type of ransomware was used in the Colonial Pipeline incident.

Critical infrastructure operators including energy providers and oil-and-gas companies are attractive targets for ransomware groups because cybercriminals know they need their equipment to continue running to provide services, said Katell Thielemann, an analyst on cybersecurity of industrial systems at Gartner Inc. “If you can disrupt operations, you immediately have bottom-line impact,” she said.

KraftCERT is helping Volue distribute information about the attack to its customers. “We knew from the moment we heard that they had been attacked that it was extremely important to get all the facts clear about the extent, the consequences and inform the customer base as soon as possible,” said Margrete Raaum, the organization’s chief executive officer.

One main task, Ms. Raaum said, is to prevent the malware from spreading. Informing power and energy companies about the attack could also help them avoid shutting down systems unnecessarily, impeding operations, she said.

This incident was in some ways easier to manage than the SolarWinds Corp. intrusion, Ms. Raaum said, referring to the massive attack revealed last year that affected government agencies and businesses in the U.S. and around the world. The corruption of SolarWinds software was designed to infiltrate the vendor’s customers, but the ransomware targeting Volue was more straightforward because attackers targeted one victim, she said.

Ransomware attacks on industrial companies have become more common since a 2019 attack that disabled operations at Norwegian aluminum and energy company Norsk Hydro AS A, Ms. Thielemann said. “The warning lights have been flashing for some time,” she said.

Volue Chief Executive Trond Straume found out about the attack from Arnstein Kjesbu, the company’s chief financial officer, on the morning of May 5 and flew from his home in southern Norway to the company’s headquarters in Oslo. He later flew to a war room set up for employees managing incident response to the attack in Trondheim, a city further north.

Within 30 minutes of discovering the attack, external cybersecurity experts arrived to assist in recovering the company’s data, Mr. Straume said.

Volue CEO Trond Straume, left, and Chief Security Officer Brynjar Larssen work in a war room set up to respond to the ransomware attack. Photo: VOLUE ASA

Mr. Straume has met with customers to explain how the company is protecting their data and computer systems against the spread of the malware.

Mr. Straume started discussions with clients on Monday and Volue set up a process to assess when each client could safely start using applications disabled after the attack, he said. Security experts analyzed whether customers used applications hosted by Volue, in the cloud, or in their own offices, and examined whether their data was at risk of being exfiltrated, or taken out of the company’s systems, said spokesman Johannes Holdø.

Volue has seen no evidence that data was exfiltrated, Mr. Holdø added. Over 90% of customers are now considered safe or close to safe from risks related to the attack, he said.

“This risk applies to the industry as a whole. In that sense I felt sort of a partnership with the customers,” Mr. Straume said.

Mr. Straume said he didn’t consider paying a ransom fee to decrypt Volue’s data. The company wasn’t able to see the fee that attackers asked for because the attackers sent a message with a link, which the security team didn’t click, Mr. Holdø said.

Different cybercriminal groups use the Ryuk ransomware, making it difficult to determine who is behind the attack on Volue, Ms. Raaum said.

When Mr. Straume entered the war room in Trondheim, it was the first time he was in an office with other employees after several months of remote work during the Covid-19 pandemic.

Managers have been communicating with employees through text messages, on the phone and via calls on Microsoft Corp.’s Teams platform, Mr. Straume said. The disabled applications mean some employees can do only part of their job, he said.

After Volue fully recovers from the attack, Mr. Straume said he wants to hire full-time hackers to continuously test the company’s systems. Volue currently hires external firms to conduct penetration tests but doesn’t have hackers on staff.

“If we can learn from this and we’re able to give anyone else some more insight and readiness, that’s to the benefit of the industry,” he said.

Write to Catherine Stupp at [email protected]