Volue After the Cyberattack: How We Passed the Stress Test

Two weeks after the cyberattack on Volue, Vigleik Takle, Chief Commercial Officer, reflects on the value of transparency and the opportunity to build Volue into a stronger and more secure company.

Jeremy lapak unsplash

My May 5th started like any other day. Over a cup of coffee, I reviewed my calendar, confirmed that it was yet another day packed with back-to-back Teams meetings, then I got going with the first meeting of the day.

I had just wrapped up the second meeting when I got the call – Volue Technology had been the subject of a cyberattack.

Although I immediately understood the severity of the situation, little did I know about the colossal amount of work ahead of us.

Within 30 minutes of the cyberattack, we had “boots on the ground”. The emergency response team was taking shape, establishing clear roles and responsibilities. Mine was customer communication.

The first few days of the cyberattack reminded me of my annual exercise with the Norwegian Reserve Army. Even though we do this exercise every year, initially no one knows what to do. But as the roles and responsibilities get re-established, and with a clear chain of command in place, things start to move quickly.

Although Volue has policies and processes for this scenario, it still took a while before we were able to mobilize a large part of the organization.

Within 30 minutes of the cyberattack, we had 'boots on the ground'.

Vigleik Takle Chief Commercial Officer, Volue

Communication and transparency throughout the cyberattack

From the word go, it was clear that communication with customers and partners would be key. For us, the question was never if, but how we should set up our communication so that we would be 100% transparent.

Already on the first day of the attack, I reached out to a former colleague who had been a part of the emergency team at Hydro through their cyberattack back in 2019. Her input and advice were extremely valuable and we immediately started to implement several of her recommendations – one was to over-communicate.

Right from the start, we also established a strong collaboration with KraftCert, an expert computer emergency response team in Norway. We shared all available and relevant data with them and they worked closely with the security community and our customers.

We conducted a daily webcast to which more than 500 people tuned in. On volue.com, we set up an urgent updates section where we posted at least once a day. We encouraged everyone to get in touch through email, telephone, or Microsoft Teams if they needed additional information.

Many congratulated us for being open about the cyberattack, including NRK, the Norwegian public broadcaster.

One cybersecurity expert tweeted: “Volue has a Ryuk ransomware incident, but instead of pretending it’s planned maintenance or saying cyberattack, they have a website set up explaining what is happening, the road to recovery, and the CEO’s phone number.”

Just over a week into the incident, more than 95% of customers were deemed safe.

Vigleik Takle Chief Commercial Officer, Volue

Working around the clock

From the time of discovery of the attack, the emergency response team and security partners worked around the clock to understand the nature of the attack, the impacted infrastructure, and services.

We quickly learnt that the ransomware attack was caused by Ryuk, a type of malware usually known for targeting large, public entity Microsoft Windows systems.

Over the next few days, through our advanced security software, we were able to provide the forensic investigators with plenty of data. This insight gave us a good understanding of the timeline for the attack, including the attackers' preparations, reconnaissance, and the actual execution.

Just over a week into the incident, more than 95% of customers were deemed safe.

Some applications were taken down in the attack. These have been restored and rebuilt but with enhanced security, including an improved network security infrastructure. Users of those applications are now being invited to resume activities in a staged rollout of the services.

We’ve had no evidence of data exfiltration – personal or critical infrastructure data. And we’ve seen no evidence that customer environments or applications were directly impacted by this attack.

Fully operational within a few days

Parallels have been drawn with the cyberattack on Colonial Pipeline Co. which in the same week led to the shutting down of the largest fuel pipeline in the U.S.

The Wall Street Journal, writing about the cyberattack on Volue, was quick to point out that the two attacks highlight the prominence of energy and critical infrastructure firms as targets for ransomware.

This has been an extremely challenging time for the company but we have passed the stress test. We are proud that we have made swift progress and we are about to be fully operational within a few days.

We have also begun the process of collecting insights and facts into documentation that will be used for learning and information-sharing with others. Needless to say, we will also continue to invest in security.

We look forward to going back to normal operations.

We will continue to build Volue to be better, stronger, and more secure than ever.