Critical Infrastructure Security

North Carolina water utility ONWASA taken down by ransomware


The Onslow Water and Sewer Authority (ONWASA) in Jacksonville, N.C. was hit with a ransomware attack over the weekend that has all but shut down its computer operations.

ONWASA, which is still recovering from the effects of Hurricane Florence, reported that its system came under attack from what it believes to be the EMOTET trojan on October 4, resulting in its system being overwhelmed about nine days later.

ONWASA’s IT department and an outside cybersecurity firm immediately went into action on Oct. 4, and it was believed at the time that the attack was fended off. However, on Oct. 13, in what may have been a delayed-action attack, Ryuk ransomware began attacking the system and encrypting its files. The utility’s IT staff attempted to stop the ransomware by disconnecting its network from the system, but this last ditch effort did not work.

ONWASA has since received an email from the cybercriminals behind the attack demanding a ransom. The utility said it will not pay and will instead rebuild its databases.

“The lack of computing ability will affect the timeliness of service from ONWASA for several weeks to come,” ONWASA said in a statement. Customers will still be able to make credit card payments over the phone and in a few of the utility’s satellite offices. All other services will have to be done manually until the system is restored.

Sewage treatment and the water supply are not in danger and the company said no customer data has been accessed.

Ryuk ransomware was reportedly behind several attacks this summer, according to Check Point in a report last month. The attackers normally ask for a payment of between 15 to 50 bitcoin and have so far collected $640,000, Check Point said.

While attribution is always difficult, Check Point did try to connect the dots in its report.

“Curiously, our research lead us to connect the nature of Ryuk’s campaign and some of its inner workings to the HERMES ransomware, a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks. This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code,” the cybersecurity firm said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.