Ransomware attack hits North Carolina water utility following hurricane

A North Carolina water utility still recovering from Hurricane Florence became the victim of a ransomware attack.

Ransomware attack hits North Carolina water utility following hurricane
Thinkstock

Bad timing, bad luck or heartless baddies — maybe all three came into play when a critical water utility in North Carolina, which was still recovering from Hurricane Florence, was brought to its knees by a ransomware attack.

Despite still dealing with the aftermath of Hurricane Florence, which ripped through the state in September, Onslow Water and Sewer Authority (ONWASA) said it has no intention of paying the ransom demanded. In the Jacksonville, North Carolina, utility’s words, it “will not negotiate with criminals nor bow to their demands.”

How the ransomware attack started

The sad and soggy saga did not begin with a sophisticated ransomware attack. It began on October 4 when ONWASA was hit with Emotet, “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” according to the alert issued by US-CERT in July.

ONWASA initially believed the Trojan was dealt with, but the utility brought in outside security pros when Emotet malware proved persistent. Fast-forward a week and a half to 3 a.m. on October 13, in what ONWASA said “may have been a timed event,” and Emotet dropped the nasty, targeted ransomware Ryuk.

Although an ONWASA IT staff member was on hand to see the attack, IT was unsuccessful in stopping the ransomware infection from spreading. The water utility said, “IT staff took immediate action to protect system resources by disconnecting ONWASA from the internet, but the crypto-virus spread quickly along the network, encrypting databases and files.”

As for the damage done, ONWASA compared the attack to what Atlanta and Mecklenburg County, North Carolina, suffered.

ONWASA later received an email from its attackers, who the utility said “may be based in a foreign country.” But it has no intention of paying the ransom. The utility explained:

Ransom monies would be used to fund criminal, and perhaps terrorist activities in other countries. Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks. ONWASA will not negotiate with criminals nor bow to their demands. The BGI agrees that ransom should not be paid. ONWASA will undertake the painstaking process of rebuilding its databases and computer systems from the ground up.

The fact that humans will manually have to deal with processes such as service orders, account creations, connections, disconnections, development review, backflow program, and others — instead of using computing power — is expected to “affect the timeliness of service for several weeks to come.” About 150,000 people depend on the water utility.

Attackers target victims of natural disasters

Bad backup policies could possibly be added to the potential list of whether this was bad luck, bad timing or heartless baddies. Yet ONWASA CEO Jeff Hudson feels confident the timing of the attack is related to the aftermath of Hurricanes Florence and Michael. The damage to Onslow County from Hurricane Florence alone is expected to surpass $125 million. That hurricane happened in September, and even its schools have not yet reopened.

Hudson told WITN, “The level of coincidence is too great for hackers somewhere on earth to pick a community of heroes, the home of the Marine Corps, with three major military installations, picking and targeting a critical component of infrastructure, the water system, immediately following two storms.”

The Center for Internet Security previously warned (pdf) about cyber attacks in the wake of a natural disaster.

ONWASA is working with the FBI, Department of Homeland Security, and the State of North Carolina, as well as several cybersecurity companies to restore the utility and bring the cyber attackers to justice.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.