Hello. Norwegian aluminum producer Norsk Hydro waited 2½ years for police to apprehend people suspected of launching a crippling ransomware attack on the company in March 2019.

The sprawling Norsk investigation involved eight countries, leading authorities to detain a dozen suspects in Ukraine and Switzerland in late October. At certain points, Norwegian authorities were told they had to wait to receive evidence because criminal laws in some of the countries involved required a court decision to share evidence. Limited travel opportunities amid the Covid-19 pandemic slowed the case. 

The U.S. and allies have vowed closer cooperation to fight ransomware but a lot will have to change. More below.

When Norsk Hydro was hit in 2019, its operations around the world were halted as the company moved to contain the LockerGoga ransomware. Norwegian investigators arrived at its offices to gather information about the hack.

Norsk Hydro said it readily shared conclusions from its internal investigation with Norwegian investigators. Still, authorities in Norway had to wait until Norsk Hydro restored its systems before they could obtain much of the evidence from the company, said prosecutor Knut Jostein Saetnan. 

It became clear to Mr. Saetnan the case would likely take years. “When it comes to cybercrime, we’re actually blind without the cooperation and information received from [other] countries,” he said.

Read the full story. 

Canadian teen arrested in $36.5 million crypto theft. Neither the accused nor the victim—someone residing in the U.S.—were named by officials in Canada and the U.S. The funds were stolen in a SIM swap, in which someone hijacks a person's cellphone to switch the number from one device’s subscriber identity module to another, and then drains financial accounts. A significant break in the case came when the teen allegedly purchased a rare online gaming username, leading investigators to uncover the account-holder's name. (InfoSecurity Magazine) 

GoDaddy discloses WordPress breach. Intruders used a compromised password to access customer information related to GoDaddy's Managed WordPress service, starting on Sept. 6, Demetrius Comes, GoDaddy's chief information security officer, said in a regulatory filing Monday. The company discovered the breach Nov. 17 and is contacting the 1.2 million affected customers, according to the filing.

Wind turbine maker Vestas says a cyberattack Friday forced it to shut down some tech systems. Denmark-based Vestas Wind Systems AS, a big provider of wind systems in North America, said Monday that manufacturing, construction and services are still operating. "The company’s preliminary findings indicate that the incident has impacted parts of Vestas’ internal IT infrastructure and that data has been compromised," Vestas said.

Pawn shop operator, payday lender hacked. A Minnesota company that runs Pawn America stores and Payday America lending offices, as well as a pre-paid debit card provider, is notifying a combined 698,420 people that their personal data was compromised in a ransomware attack in September.

• Hackers deployed network reconnaissance and ransomware tools to gain access to portions of its systems, and then threatened to leak stolen information online, the company said. It restored data from backups and didn't say whether it paid any demanded ransom. Exposed information includes contact data and driver’s license, Social Security and passport numbers. 

The notion of federal privacy legislation gets a boost after Amazon's state-level lobbying efforts are revealed. Lawmakers including Sens. Richard Blumenthal (D., Conn.) and Ron Wyden (D., Ore.) called for Congress to pass a national privacy law as state proposals are weakened as they move through the legislative process. Amazon has stepped up funding and staffing for lobbying efforts in 25 states working on data privacy bills, Reuters reported last week. The company, which has collected data on millions of customers world-wide, didn't directly comment on its lobbying activities. It said it prefers a federal law over a patchwork of state laws. (Reuters) 

💡 Read more from WSJ Pro: States Push Internet Privacy Rules in Lieu of Federal Standards and Virginia Lawmakers Poised to Pass New Rules for Internet Privacy

WhatsApp revamps privacy terms after recent record European fine. The Meta-owned WhatsApp messaging service started Monday to provide more details about how it manages user data. Ireland's privacy office fined it $267 million in September for violating the European Data Protection Regulation. WhatsApp disagreed with the ruling. It said it is tweaking policy while it appeals. (Associated Press)

Startup Arctic Wolf plans an initial public offering in 2022. The nine-year-old company is seeking financial advisors, said Nick Schneider, chief executive. Arctic Wolf, valued at $4 billion in its latest investment round, sells subscription-based detection and recovery services. (Reuters)

Write to the WSJ Pro Cybersecurity Team: Kim S. Nash, James Rundle, Catherine Stupp and David Uberti.

Follow us on Twitter: @knash99, @catstupp and @DavidUberti. 

Contact Enterprise Technology Editor Steve Rosenbush at steven.rosenbush@wsj.com or follow him on Twitter: @Steve_Rosenbush.