North Carolina recovers from a hurricane and malware attack

The water utility in North Carolina attacked by a ransomware and a banking trojan

Notch Carolina got affected by the Hurricane Florence and by Emotet and Ryuk malware. North Carolina is still recovering from a hurricane Florence which critically affected its water utility in September 2018.^[1]. However, hackers have also managed to infect it with an infamous Emotet virus and Ryuk ransomware.^[2] Representatives of the Onslow Water and Sewer Authority (ONWASA) claim that they arenot going to pay the demanded ransom.

The first attack on ONWASA was initiated by Emotet. Everyone thought it was under control when cybersecurity specialists were hired to take care of this attack. However, the next came Ryuk ransomware which hit the utility a few weeks after and caused disruption, even though staff disconnected ONWASA from the Internet. As the CEO claims:

IT staff took immediate action to protect system resources by disconnecting ONWASA from the internet, but the crypto-virus spread quickly along the network, encrypting databases and files.

It all started with an infamous banking trojan Emotet

According to the report released by Jeffrey Hudson, the CEO of ONWASA, everything started on October 4th when Emotet virus started attacking the plant. It was all under control until Ryuk ransomware hit the utility on the 13th of the same month, when the IT staff member was working on previous virus damage and spotted the initial ransomware attack.

Although the IT specialist was on duty at the time, there was nothing he could do about the attack and the Ryuk wasn't stopped from spreading. Later on, ONWASA received an email from the attacker, who, as the staff says, is believed to be from a foreign country.

The company is still rebuilding the affected database instead of paying the demanded ransom, as it doesn't guarantee anything.^[3] As ONWASA press release reads:

Ransom monies would be used to fund criminal and perhaps terrorist activities in other countries. Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks.

Victims of the disaster are targeted by malware on purpose

As for this attack, ONWASA CEO Jeff Hudson believes that the timing was calculated and the attack is related to the aftermath of the hurricanes Michael and Florence. The damage after these natural disasters is believed to be up to $125 million or more. No matter that the incident happened back in September, there are numerous schools closed.

Hudson commented on the relation between the hurricane and malware attacks:^[4]

The level of coincidence is too great for hackers somewhere on earth to pick a community of heroes, the home of the Marine Corps, with three major military installations, picking and targeting a critical component of infrastructure, the water system, immediately following two storms.

The best solution when affected by ransomware is to remove the virus and recover data from backups.^[5] When there is no extra files saved, the data might be lost permanently. ONWASA is still working on restoring the utility and recovering the database that got encrypted. They are working alongside FBI and the Department of Homeland Security.