Utility organisations, like other businesses and institutions, depend on computers and software for many operational critical functions, and can be a prime target for cybercriminal activity - especially given the potential damage and destruction that interruptions in services or a complete shutdown and being offline can cause.  

One of South Africa’s power suppliers was hit with a ransomware attack on Thursday, the victim organisation stated databases, applications and network were encrypted. While the incident did not impact the personal data of the clients, it affected clients’ ability to pay their bills and many were cut out from power. 

Ransomware attacks across markets are on the rise. In fact, according to Kaspersky Security Network, for Q1 2019, ransomware attacks were defeated on the computers of 284,489 unique users. Ransomware is a type of Trojan that modifies user data on a victim’s computer so that the victim can no longer use the data or fully run the computer. Once the data has been “taken hostage” (blocked or encrypted), the user receives a ransom demand. This tells the victim to send the malefactor money, in return for the cybercriminal sending the victim the means to restore the data or restore the computer’s performance. The reality however is that there is no guarantee that the cybercriminals will restore the data after the targeted victim or business has paid the ransom. 

With the inability to operate its business normally, the victim organisation of a targeted ransomware attack will not only experience a loss of money but faces further potential loses, as particularly in the case of utilities and the nature of their services, an unplanned/unscheduled interruption can cause damage to its physical infrastructure. Additionally, there is the risk of reputational damage and loss, not to mention the cost of removing the malware and restoring data. And, there is also the risk that the criminals may use the stolen data for further cybercriminal activity.  

Kaspersky previously investigated a number of attacks that were used to disrupt operations in private or public organisations, employing ransomware or similar malware to achieve their goals. Shamoon and Stonedrill for example targeted the Middle East with wipers and ransom malware, encrypting tens of thousands of systems in government organisations in an attempt to block their operations. Another example, Blackenergy is also a malware that was investigated as it was employed in attacks on the critical infrastructure in Ukraine and caused multiple cities to be cut out from power for hours! The Olympic destroyer is also another example of malware which was used in an attempt to disrupt the Winter Olympics in Pyeongchang, South Korea. 

To avoid falling victim to such cybercriminal activity, all organisations whatever their business should:

• Secure all endpoints
• Apply operating system and application updates as soon as they are available
• Backup data regularly and keep backup drives safe or offline
• Don’t routinely assign staff admin rights on computers; and limit access to data to those who really need it
• Educate staff about the tactics employed by attackers.  This includes:
  • Never clicking on unverified links
  • Never opening untrusted emails
  • Only downloading from trusted and verified websites

It should also be noted that while paying the extorters seems like the best option and easiest path to get the data back, it is never guaranteed that the data will be retrieved. There have been cases in the past where the attackers do not restore the data; and other cases where they restore some of the data and then demand further payment before restoring the rest of the data. Paying only encourages the cybercriminals to continue to develop ransomware-based attacks.

By Dr. Amin Hasbini,

Head of the Global Research & Analysis Team for META at Kaspersky