Targeted Ransomware

Published on 01 Nov 2019

Updated on 15 Feb 2021

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


An emergent trend in the global cyber threat landscape is the rise of “big game hunting” – highly targeted, low-volume, but high-return ransomware attacks against large organisations.

Unlike previous ransomware campaigns aimed at indiscriminately infecting as many devices as possible, these attacks utilise new strains of ransomware (e.g. LockerGoga, Ryuk, and Robbinhood) designed to exploit, propagate, and take down the networks of large enterprises and organisations in the hope of getting bigger payouts.

According to Symantec’s Internet Security Threat Report 2019, overall ransomware detections fell by 20% year-on-year, but ransomware attacks against enterprises rose by 12% over the same period. This issue of CyberSense looks at some recent prominent cases of targeted ransomware attacks.

targeted ransomware
Credit: Shutterstock



On 19 March 2019, Norsk Hydro ASA, a Norwegian company that is one of the world’s top aluminium makers, announced that it was under cyber-attack. The disruption was caused by LockerGoga, a new destructive ransomware which managed to evade detection from most antivirus engines, and with no decryption tools available. Norsk Hydro did not pay the ransom.

The extensive cyber-attack affected both Norsk Hydro’s Information Technology (IT) and Operational Technology (OT) systems. The cyber-attack resulted in Norsk Hydro being unable to connect to its production systems, frequent stoppages, and production line restarts for its operations across the US and Europe. The cyber-attack cost Norsk Hydro an estimated NOK 300 – 350 million (S$47 – 55 million).

Norsk Hydro was lauded for its swift and effective implementation of business continuity and recovery plans, including manual workarounds, which helped to mitigate major long-term impact to its operations and supply chain. Throughout the incident, Norsk Hydro demonstrated open and transparent public communications. These included (a) providing live updates on Twitter/Facebook even as the cyber-attack was taking place; (b) conducting press meetings and webcasts to update on the cyber-attack; and (c) frequent updates on the recovery progress for key business areas. By April 2019, Norsk Hydro reported that most operations were running at normal capacity.

The confluence of three emerging trends – (i) increasingly interconnected and complex supply chains; (ii) the domination of these supply chains by a few companies; and (iii) growing adoption of industrial control systems – puts the spotlight on growing cyber-physical risks in the global supply chain. A debilitating cyber-attack on a major aluminium manufacturer like Norsk Hydro could have had knock-on effects on other secondary industries reliant on Norsk’s products.

Read more about the Norsk Hydro ransomware attack below:


On 8 May 2019, the US city of Baltimore, Maryland confirmed that it was a victim of a ransomware attack, later identified as the RobbinHood ransomware, for which there is no decryption tool available. About 10,000 computers were hit by the malware. Emergency response services were unaffected, but government e-mail services and online payment services were knocked offline by the attack. The city took other systems offline to keep the ransomware from spreading, and used Google Gmail, social media, and offline alternatives to restore services and communications with constituents.

The ransom note demanded 3 Bitcoin (BTC)(S$33,300) per infected system or 13 BTC (S$144,300) for all systems be sent to a Bitcoin address, and claimed that the price would increase by S$14,000 every day after the fourth day, and that the affected files would be deleted if the ransom amount was not paid within 10 days. On 12 May, four days after the attack was first reported, Twitter account "RobbinHood" posted internal documents allegedly belonging to the City of Baltimore, ostensibly to pressure the city to pay the ransom. The city steadfastly refused to pay the ransom, and recovery efforts and lost revenue have been estimated to cost some S$25 million to date.

Read more about the Baltimore ransomware attack below:


On 25 July 2019, City Power, the utilities company delivering power to Johannesburg, South Africa’s largest city, was hit by an unknown ransomware variant. The cyber-attack encrypted City Power’s network, databases, and applications. This affected residents’ ability to buy electricity, upload invoices, or access the City Power website, and in some cases left residents without power. Johannesburg implemented temporary measures to help those affected. For instance, customers unable to access the website were requested to log calls on their cellphones, or use City Power’s mobile app; suppliers seeking to submit invoices for payments were asked to bring invoices physically to City Power offices. By the day after the attack, City Power had restored power and most services for affected residents, due to access to timely backups. During the course of the incident, the company also posted a series of tweets to keep residents updated on the ongoing recovery effort.

The city was yet again targeted by hackers exactly three months later on 25 October 2019. The city was forced to shut down its e-services platform and the billing system as a precautionary measure following an attack after identifying unauthorised access according to a ransom note. The City of Johannesburg municipality says that it will not pay the ransom of four bitcoins (around US$30,000) and that it will attempt to restore systems to full functionality on its own. While some media outlets have described this incident as a ransomware attack, publicly reported images of the ransom note do not state that any files were encrypted and instead include a threat to release sensitive information if the ransom is not paid, suggesting this is likely an extortion operation rather than ransomware.

Read more about the Johannesburg cyber-attack below:


More than 20 targeted ransomware attacks have affected US municipalities in 2019. Unlike Baltimore, many cities and towns opted to pay the ransom to regain access to their systems and data quickly. In March 2019, Jackson County paid over S$500,000 in ransom; in June 2019, Florida cities Riviera Beach and Lake City paid over S$800,000 and S$600,000 respectively. The willingness of municipal organisations to pay the ransom will likely incentivise would-be attackers to undertake further attacks against municipal organisations – already attractive targets as they typically operate legacy systems, with lower cybersecurity standards.

The rise of targeted ransomware attacks illustrates the need for all organisations – globally and in Singapore – to devote more attention and resources to manage cyber risks. In particular, it illustrates the importance of not only preventing, but also detecting and responding to cyber-attacks. Such measures include:

  1. Deploying robust backup systems which are tested regularly, with multiple versions saved and stored offline;
  2. Developing incident response and crisis communications plans which include physical or manual workarounds; and
  3. Having the expertise to operate these systems/plans in times of crisis.

SOURCES INCLUDE: Engadget, Wired, BBC, BankInfoSecurity, Twitter, Norsk Hydro, Bloomberg, ZDNet, Talos Intelligence, Reuters, DoublePulsar, Symantec