Ransomware attack forces Michigan utility to shut down systems, phone lines, email

Last week was a busy week when it comes to ransomware. New victims included a utility company, visitors to a toymaker’s website, pirates sailing The Pirate Bay and many more. Some cyber crooks are now demanding gift cards for ransom instead of bitcoin.

While it wasn’t all bad news, there are new decryptors and detectors, the FBI published a new warning about the proliferation of increasingly sophisticated ransomware campaigns.

Utility company hit with ransomware

Lansing Board of Water & Light (BWL), a Michigan municipal utility, was hit with ransomware after an employee opened an email that had a malicious attachment. The ransomware spread, encrypting files on other computers on the internal network. BWL shut down its accounting system, email service for 250 employees and “phone lines,” including the customer assistance line for account inquiries and the line for reporting outages. “Printers and other technology” were also affected.

BWL General Manager Dick Peffley described the “virus” as “brand spanking new,” which is why up-to-date antivirus software didn’t quarantine it. The utility company learned that only three antivirus solutions could even detect this variant of crypto-ransomware. 

Trent Atkins, BWL Director of Emergency Management, added, “This was a very sophisticated virus that blew right through a number of our security systems.”

Peffley also said, “In my time at the board of 40 years, I’ve never seen anything like it. Our time keeping, phones, computers, printers, everything that it takes to do the administrative work that the BWL does right now is shut down.”

At first BWL would not admit it was hit by ransomware, but later Peffley admitted the “virus” was ransomware. He declined to say what ransom was demanded allegedly because the Michigan State Police Crime Unit and the FBI were still investigating. BWL assured customers that “no personal information has been compromised.”

Toymaker website and The Pirate Bay serving up ransomware

Also last week, Malwarebytes reported the website for toymaker Maisto was serving up CryptXXX ransomware. That occurred a few days after Malwarebytes said The Pirate Bay was serving up Cerber ransomware via malvertising.

MalwareTech said there is a “huge” list of U.S. organizations, such as police departments, state governments and universities, showing up in a Cerber ransomware tracker.

NBC News took a look at police departments increasingly being hit with ransomware—even if law enforcement agency victims are trying to fly under the radar and keep the infection out of news. One police chief admitted his department had still been running DOS when it became a ransomware victim.

4 new ransomware variants

Proofpoint researchers warned, “The sheer number of new ransomware variants that have emerged in the wild in 2016 increases the chances that both businesses and individuals will encounter this type of malware.”

Proofpoint focused on four specific new ransomware variants—CryptFile2, ROI Locker, BrLock and MM Locker—to highlight code reuse and the growing global ransomware market. MM Locker comes with an interesting message to convince victims there is no choice but to pay the ransom and how to prevent future infections.

Rise of the gift card ransom demand

After Blue Coat researchers discovered “Dogspectus” ransomware targeting Android devices and demanding $200 in iTunes gift cards, ransomware thugs must have liked the gift card ransom idea. A few days later, AVG malware analyst Jakub Kroustek discovered “TrueCrypter” ransomware that accepts $115 in Amazon gift cards or .2 bitcoin. Fortunately, BleepingComputer reported that victims can easily decrypt their files by clicking on the TrueCrypter pay button. The newly discovered Alpha ransomware demands $400 in iTunes gifts cards, but there is already a decryptor available for victims.

Detect OS X ransomware, decrypt CryptXXX and TrueCrypter

The ransomware week in review was not all bad news, such as the TrueCrypter flaw that victims can take advantage of to decrypt their files for free. Synack security researcher Patrick Wardle released “RansomWhere?”—a generic OS X ransomware detector. Kaspersky updated its RannohDecryptor tool so it can now also decrypt CryptXXX ransomware.

The flipside is that ransomware is running so rampant and becoming so increasingly sophisticated that the FBI released a new warning. It also explained how ransomware can be delivered via malvertisting instead merely through email. The article includes tips on how to avoid becoming a victim in the first place.