Norsk Hydro, one of the largest global aluminum manufacturers, has confirmed its operations have been disrupted by a ransomware attack.
The Oslo, Norway-based company said in a brief statement that the attack, which began early Tuesday, has impacted “most business areas,” forcing the aluminum maker to switch to manual operations.
“Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” the company said in a statement posted to Facebook. It’s understood that the ransomware disabled a key part of the company’s smelting operations.
Employees were told to “not connect any devices” to the company’s network. Norsk Hydro’s website was also down at the time of writing.
The company manufacturers aluminum products, manufacturing close to half a million tons each year, and is also a significant provider hydroelectric power in the Nordic state.
Reuters said operations in Qatar and Brazil were also under manual operation, but the company said in a public disclosure with the Norwegian stock exchange there was “no indication” of impact on primary plants outside Norway.
“It is too early to assess the full impact of the situation. It is too early to assess the impact on customers,” said the aluminum maker.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Norway’s National Security Authority did not immediately respond to an email with questions, but told Reuters that the infection is likely LockerGoga, a new kind of digitally signed ransomware that went undetected until recently. The ransomware locks files and demands a ransom payment for a decryption key.
Security expert Kevin Beaumont said earlier this month the malware was also used to target Altran, a Paris, France-based consulting firm, last month. Beaumont said the malware doesn’t require a network connection or a command and control server like other ransomware strains. A sample of the ransomware shared to malware analysis site VirusTotal shows only a handful of anti-malware products can detect and neutralize the LockerGoga malware.
Norsk Hydro spokesperson Stian Hasle did not comment beyond the company’s statements.
Justice Department indicts two Iranians over SamSam ransomware attacks
