Stats & Trends
Jonathan Crowe
Oct 2018

The Ransomware Attack on a North Carolina Water Utility May Not Have Been What it Seemed


Photo by Jinx!

North Carolina's Onslow Water and Sewer Authority (ONWASA) is battling a Ryuk ransomware infection that has forced it to rebuild its IT infrastructure from the ground up. But the real story began weeks earlier, when the utility was infected with a far stealthier malware.

On Monday, October 15, Jeffrey Hudson, CEO of Onslow Water and Sewer Authority (ONWASA) issued a statement announcing the utility's servers and personal computers had been subjected to a sophisticated ransomware attack that had left it with limited computer capabilities. 

Residents were assured that water and wastewater service to homes and businesses would not be interrupted, and no customer information had been compromised during the attack. Many of the utility's databases would have to be recreated in their entirety, however, and Hudson set expectations that the timeliness of service from ONWASA would likely be affected for weeks to come. 

With the utility's network in shambles all activities that require computers — service orders, account creation and payments, etc. — will have to be conducted manually while ONWASA's IT department conducts a complete, painstaking rebuild. 

Despite the damage, Hudson explained that ONWASA would not be negotiating with the criminals behind the ransomware, and would not pay the undisclosed ransom demand. Instead, the utility is actively working with the FBI, Department of Homeland Security, the State of North Carolina, and several security companies to investigate the attack, which Hudson believes to be something more sinister than simply another indiscriminate infection. 

Was the water utility explicitly targeted in the aftermath of Hurricane Florence?

Many news outlets have been quick to highlight that the attack hit ONWASA at a critical time with Onslow County still actively recovering from September's Hurricane Florence. Many services have yet to be fully restored in the area, including the county's schools, which have yet to reopen. The total damage to the county caused by Florence is estimated to top $125 million

Hudson is confident ONWASA, which is headquartered just 50 miles north of where Florence made landfall on September 14, was specifically targeted by attackers as a critical utility, and that the timing of the infection was no coincidence.

One of the clues seemingly pointing in that direction is the strain of ransomware that was used. Ryuk is a new strain of ransomware that researchers at Checkpoint began tracking in early August. Despite having only been active for a short while, it has reportedly already netted attackers over $640,000, thanks in part to its large ransom demands (the highest observed was $320,000). 


Ransom note dropped during a previous Ryuk ransomware infection. Source: Checkpoint

Rather than distributing it via large malspam campaigns like the majority of ransomware strains, the attackers behind Ryuk have taken a far more targeted approach that revolves around carefully selecting their victims and deploying the ransomware more strategically. 

An examination of Ryuk's code has shown strong similarities to Hermes ransomware, which has a history of being used for extortion but also as a diversion in campaigns conducted by the North Korean APT, the Lazarus Group

The use of Ryuk is certainly one indication that this may have been a targeted attack, but is it enough to confirm the attack was in fact targeted? Other indicators potentially suggest otherwise, starting with the fact that ONWASA was infected by a different strain of malware nine days prior to Ryuk being deployed.  

Ransomware attack was preceded by Emotet infection


The ransomware was deployed as an additional payload nine days after ONWASA was initially compromised.
Click to expand

According to the ONWASA statement, the utility first began experiencing signs of persistent malware infections on October 4. The malware was identified as Emotet, a trojan that has become one of 2018's most prolific threats. Emotet infections have reached such a high volume that the United States Computer Emergency Readiness Team (US-CERT) recently issued an alert on the trojan, describing it as "among the most costly and destructive malware" affecting organizations today. 


Click to expand

The primary purpose of Emotet is to gain an initial foothold on computers so it can fetch and deploy additional payloads. One of the most common payloads Emotet has retrieved in 2018 has been TrickBotThe combination of Emotet, which is notorious for its ability to gain persistence, and TrickBot, which can self-propagate and quickly spread itself across victim networks, has been a nightmare for admins.

In addition to quickly overrunning networks, these infections can be incredibly difficult to remove in their entirety, which is a major problem when all it takes is one overlooked artifact for the infection process to start up all over again. ONWASA's statement confirms as much. The company initially thought they had the infection under control, but when it persisted it was forced to call on help from outside security experts. 

Shortly after the help arrived, the ransomware was deployed — at 3am on Saturday, October 13. The timing suggests the deployment was deliberately planned to occur at a time when no staff were working and the ransomware would have hours if not days to operate unnoticed. Fortunately, an ONWASA staff member was working at the time and made immediate attempts to isolate the infection. Despite the effort, the ransomware was still able to quickly spread throughout the network, encrypting databases and files and ultimately forcing the utility to rebuild its systems from the ground up.  

The fact that an Emotet infection preceded the ransomware attack puts the theory that it was a targeted strike into question. It's still a possibility, but the fact is Emotet is typically delivered via malspam emails that are either distributed in large campaigns or from the email accounts of previously infected victims. In other words, Emotet outbreaks aren't usually the result of premeditated, carefully orchestrated strikes. Instead, they're simply infections of opportunity. 

That's not to say the deployment of ransomware couldn't have been strategic, however. In fact, there are two similar infections that occurred earlier this year that suggest we could start seeing ransomware deployed on Emotet-compromised networks more regularly, though perhaps not for the reason you might first expect. 

Ransomware used for extortion or simply to cover attackers' tracks? 

In late July, the Alaskan borough of Matanuska-Susitna was hit with a devastating ransomware attack preceded by an Emotet infection that had gained access weeks before. Source: KTUU News 

On Tuesday, July 31, government officials from the Alaskan borough of Matanuska-Susitna (Mat-Su) declared a state of emergency after a ransomware outbreak infected nearly all of the borough's 500 workstations and 120 of its 150 servers, including its domain, email (Exchange), and even its backup and disaster recovery servers. 

Thanks to the IT team's work, much of the encrypted data was able to be restored, but the attack necessitated taking the network entirely offline. During the painstaking task of restoring the infrastructure employees were forced to revert to using typewriters and finding other manual ways of making due without email, phones, or Internet. 

In total, Mat-Su Borough IT Director Eric Wyatt estimated recovery costs could reach but would likely not exceed $750,000.  

As part of his investigation into the incident, which he documented in a detailed report, Wyatt revealed that the borough had actually first experienced signs of an infection on July 17, after an update to the borough's antivirus software (McAfee) caused it to begin flagging samples of Emotet that it had previously missed. According to Wyatt, there were signs that the Emotet infection had gone undetected by McAfee for more than two months, having initially been introduced as early as May 3. Following the update of the AV software, it became evident that during that time the malware had spread to "alarming levels," infecting numerous workstations and multiple servers. 

Wyatt's team responded by changing all account passwords and developing a script to remove the discovered components of the infection that McAfee was leaving behind. And that's when, out of nowhere, the ransomware was deployed.

Working with the FBI, Wyatt was able to identify the ransomware as Bitpaymer, a strain that gained notoriety for infecting a group of Scottish hospitals in 2017 and making large, six-figure ransom demands. 


What BitPaymer ransomware looks like in action.

The investigation also lead to a potential alternative explanation for the ransomware's deployment. Rather than earnestly trying to extort the borough, it may have been launched as a destructive decoy designed to help the attackers get rid of evidence that could otherwise be used to identify them and take down their infrastructure.

If the borough had decided to pay, that obviously would have been a bonus for the attackers, but the prior Emotet infection had already yielded stolen credentials and other information that could be easily monetized and used in future attacks.  

"[There are indications] that the attack's purpose is not based primarily on money from a particular victim, but to disrupt operations and potentially steal information that may lead to greater financial reward and more disruptions from down stream victims."

— Eric Wyatt, Matanuska-Susitna Borough IT Director (source)

Not isolated incidents: Emotet  TrickBot  ransomware infection chains are becoming more common

According to Wyatt, the FBI confirmed the attack pattern observed at Mat-Su — an initial Emotet infection resulting in TrickBot then BitPaymer ransomware being deployed — closely matched the situation at the Alaskan city of Valdez, which was infected just days following the Mat-Su outbreak. 

Later, on August 7, the Professional Golfers Association of America (PGA) was infected with ransomware believed to be BitPaymer, though it is unconfirmed whether an Emotet infection preceded the attack. 

Emotet-Ransomware-Campaigns-2018The situation at OWASA two months later is different in that the ransomware deployed was Ryuk, not BitPaymer. The two strains have key similarities as well as key differences. 

Both operations are known for being more selective with their victims, typically targeting bigger enterprises thought to be more capable of paying large ransom amounts. That makes the victims here — two small local governments and a water utility — somewhat curious, at least from a financially motivated perspective. Local governments have paid ransoms in the recent past, of course (see Leeds, Alabama and West Haven, Connecticut), but the amounts have been much lower than the typical BitPaymer or Ryuk six-figure demand. 

The low likelihood of a big pay day suggests the goal of these attacks could very well be to remove evidence after the initial Emotet and TrickBot infections harvested credentials and other valuable information. That, or the criminals behind the two strains are adapting their business model and either launching attacks more indiscriminately or consciously moving downstream. 

When looking at similarities between Ryuk and BitPaymer it's important to point out the two strains are managed by two very different groups. As mentioned earlier, Ryuk has been tied to the Lazarus Group, a North Korean APT. An attack targeting a U.S. water utility conducted by that group isn't outside the realm of possibility, and it's been known to deploy ransomware as a smokescreen before

BitPaymer, on the other hand, has been attributed to the group behind the notorious Dridex banking trojan, whose activities have been clearly financially motivated. 

Seeing the work of these two groups both tied to Emotet and TrickBot campaigns is interesting, and highlights just how modular and intertwined malware operations have become. Emotet in particular has evolved into a prolific distributor of a variety of threats. The criminals behind the trojan have built a vast collection of compromised machines, email accounts, and email addresses they can sell access to, and they're adding to it with every new campaign.  

3 key takeaways for protecting your business

What can other organizations learn from the ONWASA incident? 

1) Don't sleep on active infections just because they're not ransomware

Ransomware infections are hard to miss. Their consequences are immediate and tangible. They send organizations into instant fire-fighting mode, and they still tend to dominate headlines in a way that other malware doesn't. 

But as this incident shows, organizations should be just as worried about quieter infections. Though it might be easy to dismiss them as less urgent, not only can they make off with sensitive information, they can also lay the groundwork for more actively damaging attacks.  

Organizations that see early warning signs of an infection (especially a trojan like Emotet) need to assume the clock is ticking and more potentially destructive malware could be on the way.  

2) Restoring encrypted files is far from your only worry

Soon after the incident, ONWASA went on record saying it would not pay the ransom, explaining that the utility was refusing to help fund criminal activity. Unfortunately, the truth is the criminals behind the incident have likely already profited from it.  

Malware was running on the utility's systems for nine days, silently gathering information and email addresses to be sold and utilized in future attacks. Getting its systems restored and running again was obviously the first priority, but even after that's accomplished ONWASA now has to wonder what else might be lying dormant in their network.

In addition, the utility's employees will now be more at risk of having their own personal email and banking accounts compromised. 

Whether it was a targeted attack or an attack of opportunity, whether the motivation was simply financial or something more malicious, regardless, the infection has made things significantly more complicated for ONWASA. Rebuilding an encrypted network is only the beginning. 

3) Preventing initial infections in the first place should be the top priority

The incidents at ONWASA, Mat-Su, the City of Valdez, and others are good reminders that organizations should be doing everything they can to prevent their endpoints from being compromised in the first place, before those compromises establish dangerous and profitable footholds for additional attacks. 

That means training employees to recognize increasingly sophisticated phishing attempts and protecting computers and servers with stronger, smarter endpoint security software designed to do two things:

  1. Block the latest malware, even if it's a new variant that hasn't been seen before
  2. Break the most common infection chains by blocking malicious behavior patterns

That's exactly the type of protection Barkly provides: 


Click to expand


Not only does Barkly block the malware used in today's attack campaigns, it blocks popular infection paths — such as malicious Word documents launching PowerShell and downloading payloads — thereby preventing malware from even touching the machine to begin with. 

Find out how Barkly can help you block attacks at the earliest outset, before initial infections turn into emergencies and headlines. See a demo. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Emotet Survival Handbook

How to deal with active infections and protect your company from 2018's most prevalent threat.

Look inside


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.