Cyber Incident Victim: Hexion Inc.

On March 12, 2019, Hexion and Momentive—two U.S.-based chemical companies specializing in resins, silicones, and industrial materials, and controlled by the same investment fund—experienced a coordinated ransomware attack that caused severe operational disruption. The attack triggered a "global IT outage," as described in an internal email from Momentive CEO Jack Boss, prompting both companies to deploy emergency "SWAT teams" to manage the crisis. Forensic analysis of the ransom message displayed on compromised Momentive laptops identified the malware as LockerGoga, based on identical language and formatting to prior attacks, including the contemporaneous incident affecting aluminum manufacturer Norsk Hydro. The ransomware encrypted files on Windows-based systems across the organizations, rendering them inaccessible and causing blue screen errors. Employees lost all network and email access, paralyzing routine operations.

The attack’s impact was immediate and extensive, with Momentive’s leadership concluding that data on affected devices was irrecoverable, leading to the procurement of "hundreds of new computers" to replace compromised systems. Employees were issued new email accounts under the domain "momentiveco.com" after the original infrastructure remained inoperable. Hexion publicly acknowledged efforts to restore operations but provided no technical specifics, while both companies maintained minimal external communication; calls to Hexion’s hotline went unanswered. The incident underscored LockerGoga’s pattern of targeting multinational industrial firms, despite its noted inefficiency in generating ransom payments for attackers. No ransom amount or payment confirmation was disclosed in available communications, and the full scope of data loss or operational downtime remained unquantified in public statements.