Bad timing, bad luck or heartless baddies, maybe all three came into play when a critical water utility in North Carolina, which was still recovering from the effects of a hurricane disaster, was brought to its knees by a ransomware attack.
Despite still dealing with the aftermath of Hurricane Florence, which ripped through in September, Onslow Water and Sewer Authority (ONWASA) said it has no intention of paying the ransom demanded. In the Jacksonville, North Carolina, utility’s words, it “will not negotiate with criminals nor bow to their demands.”
The sad and soggy saga did not begin with a sophisticated ransomware attack; it began on October 4 when ONWASA was hit with Emotet, “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” according to the alert issued by US-CERT in July.
ONWASA initially believed the Trojan was dealt with, but the utility brought in outside security pros when Emotet malware proved persistent. Fast-forward a week and a half to 3 a.m. on October 13, in what ONWASA said “may have been a timed event,” and Emotet dropped the nasty, targeted ransomware Ryuk.
Although an ONWASA IT staff member was on hand to see the attack, IT was unsuccessful when trying to stop the ransomware infection from spreading. The water utility said, “IT staff took immediate action to protect system resources by disconnecting ONWASA from the internet, but the crypto-virus spread quickly along the network encrypting databases and files.”
ONWASA later received an email from its attackers, who the utility said “may be based in a foreign country,” but it has no intention of paying the ransom. The utility explained:
Ransom monies would be used to fund criminal, and perhaps terrorist activities in other countries. Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks. ONWASA will not negotiate with criminals nor bow to their demands. The BGI agrees that ransom should not be paid. ONWASA will undertake the painstaking process of rebuilding its databases and computer systems from the ground up.
The fact that humans will manually have to deal with processes such as service orders, account creations, connections, disconnections, development review, backflow program, and others – instead of using computing power – is expected to “affect the timeliness of service for several weeks to come.” About 150,000 people depend on the water utility.
Bad backup policies could possibly be added to the potential list of whether this was bad luck, bad timing or heartless baddies. Yet ONWASA CEO Jeff Hudson feels confident the timing of the attack is related to aftermath of Hurricanes Florence and Michael. The damage to Onslow County from Hurricane Florence alone is expected to surpass $125 million; that happened in September and even the school have not yet reopened.
Hudson told WITN, “The level of coincidence is too great for hackers somewhere on earth to pick a community of heroes, the home of the Marine Corps, with 3 major military installations, picking and targeting a critical component of infrastructure, the water system, immediately following two storms.”
The Center for Internet Security previously warned (pdf) about cyber attacks in the wake of a natural disaster.
ONWASA is working with the FBI, DHS, the State of North Carolina as well as several cyber security companies to restore the utility and bring the cyber-attackers to justice.