IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware Attack on Michigan Utility Provider Highlights Organizational Vulnerabilities

On April 25, an attack launched against the Lansing Board of Water and Light proved just how vulnerable organizations can be to this ballooning threat vector.

If you’ve been anywhere near a social media newsfeed in the last couple of years, then you’ve likely seen the horror stories about ransomware attacks. What looks like an attachment sent by a friend infects your computer or network and sends you on a hellish misadventure to recover files taken hostage.

For the most part, these stories have circulated through the networks of pedestrian Internet users, but have exploded into the national spotlight as hospitals and other organizations fall prey to them. 

On April 25, an attack launched against a Michigan utility provider proved just how vulnerable organizations can be to this ballooning threat vector.

When an employee of the Lansing Board of Water and Light (LBWL) opened what seemed to be a legitimate email attachment, the business side of the house went into a self-imposed lockdown of their systems. Though there was no impact to the delivery of utility services, the malicious code forced a shutdown of network and vital business services, which included phone lines and billing services.

[1/4] Today we were the victim of ransomware that came in through a phishing virus and infected our corporate networks. — Lansing BWL (@BWLComm) April 25, 2016

[2/4] We immediately instated a self-imposed lockdown to all of our corporate networks to protect the system while developing a solution. — Lansing BWL (@BWLComm) April 25, 2016

In a statement published via the LBWL Twitter account, the service provider said it appeared that customer information was not compromised in the breach.
 
“Based on everything we know now, no credit card information was involved in this incident,” LBWL officials said in a May 2 update. “Customer credit card information is processed by a third party vendor independent of BWL’s IT systems. BWL neither processes or possesses any customer information.”
[3/4] We are working with local, state and federal law enforcement authorities. No utility functionality has been lost during the attack. — Lansing BWL (@BWLComm) April 25, 2016

[4/4] No personal customer info has been compromised. Customers are still able to make payments online, in our cust serv center & at kiosks. — Lansing BWL (@BWLComm) April 25, 2016

According to a May 2 report from the Lansing State Journal, operations have slowly been returning to normal, though employees were still without email at the time.  
 
Detective Lt. Jay Poupard with the Michigan State Police Cyber Crime Unit told Government Technology that instances of ransomware attacks are locked in step with the growing global investments made to digital infrastructure.
 
As more data and vital information is logged into these systems, the ability to hold it hostage becomes more attractive and lucrative to would-be hijackers.
 
“A lot of this revolves around the investment citizens and companies are making in their cyberinfrastructure upfront,” he said. “Ransomware is becoming more prevalent in the United States and worldwide …”
 
In the days following the malware attack and the self-imposed lockdown of BWL digital assets, Poupard said his unit has partnered with the BWL and federal partners to investigate the incident. 
 
“This is something that affects the private and the public sectors, in my opinion,” Poupard said. “When we have moments like this, we use relationships with all cyberprofessionals to try to come to the most accurate conclusions possible. The FBI, the Detroit Cyber Task Force, is certainly a resource that is in service right now.”
 
While details of the ongoing investigation are understandably limited, he said all parties are working closely to verify the origin of the email attack and how to avoid a future breach.
 
From the cybersecurity industry's perspective, Juan Guerrero, a senior security researcher at Kaspersky Lab, said ransomware is likely to increase as profitability of these schemes continue.
 
"A variety of measures are important in shielding an organization from these types of attack. Most important are the implementation of a robust anti-malware suite and the implementation of backups that are kept disconnected from the machines and network when not in use, referred to as 'cold storage,'" he said. "Beyond this, strict application whitelisting like default deny and endpoint user education can help to limit the effectiveness of the malware delivery methods."
 
The municipal utility has not disclosed the amount of the ransom demands. Despite multiple attempts to contact the LBWL, there was no response as of press time.
Eyragon Eidam is the web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.