Incident Of The Week: Cyber Criminals Launch Ransomware Attack on Water Utility in Hurricane Ravaged N.C.

Already reeling from the effects of Hurricane Florence, the Onslow Water and Sewer Authority (ONWASA) in Jackson, N.C. has been the target of a ransomware attack by cyber criminals that crippled the water utility’s computer systems.

ONWASA officials said no customer information was compromised in the attack discovered on Oct. 4, nor has there been any disruption to waste water services and the water supply. The utility’s servers and computers began experiencing attacks from the Emotet virus, which is “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” according to the alert issued by US-CERT in July. It is considered one of “the most costly and destructive malware” affecting the public and private sectors.

Outside security specialists were brought in once it became clear the problem was persistent. Then, on Oct. 13, the malware launched the Ryuk crypto-virus, which spread quickly throughout the network, encrypting databases and files, according to ONWASA CEO Jeffrey Hudson, in a statement.

The utility has received one email from the cyber criminals “who may be based in a foreign country,” he said, and are demanding an undermined financial payment. Hudson said ONWASA has no intention of paying the ransom and that it “will not negotiate with criminals nor bow to their demands.”

Instead, the utility will rebuild its databases and computer systems from scratch, he said. The attack is consistent with others experienced by other municipal utilities in Atlanta and Mecklenburg County, N.C., he said.

Ryuk ransomware was reportedly behind several attacks this summer, according to Check Point Research in a September report. The attackers normally ask for a payment of between 15 to 50 bitcoin and have so far collected $640,000, the firm said.

ONWASA said local, state and federal agencies are investigating.

Hudson told local station WITN that the cyberattack may be related to the timing of Hurricane Florence and Tropical Storm Michael.

"The level of coincidence is too great for hackers somewhere on earth to pick a community of heroes, the home of the Marine Corps, with three major military installations, picking and targeting a critical component of infrastructure, the water system, immediately following two storms," he said.

The Center for Internet Security has warned the public that interest in cyberattacks tends to increase after a natural disaster. “Malicious actors leverage public interest during natural disasters and other high-profile events in order to conduct financial fraud and disseminate malware,” the center noted in a statement.