Defending Against the Ransom Ware Threat

By Jason Glassberg, Casaba Security

Electric power companies face a range of threats, from physical sabotage and malicious insiders to vulnerable network ports easily discoverable by almost anyone using the Shodan search engine. A recent attack on an electric utility in Michigan, however, highlights the growing risk of another threat to the power industry-ransomware.

In April 2016, municipally-owned public utility Lansing Board of Water & Light was infected by ransomware after an apparent email phishing attack. The infection forced the utility to shut down all of its corporate IT systems, including administrative, accounting, email and online customer service, as well as phone lines, fax machines and other technologies. A similar incident struck Israel’s Electric Authority in January 2016. It too was forced to shut down its network and administrative functions. In both cases, however, the ransomware did not affect power service or industrial operations.

Power companies need to pay close attention to these attacks because ransomware is a threat that will not go away any time soon. In fact, it’s likely to get worse. Between 2013 and 2015, the number of ransomware samples detected in the wild jumped 270 percent, according to McAfee. In January, security researchers also discovered that hackers are now creating “ransomware-as-a-service,” like “Ransom32,” which is being sold to criminals as a complete package, making it easier for anyone, even those with less technical skill, to deploy this type of attack.

Following is a summary of what operators need to know about the ransomware threat.

What is Ransomware?

Ransomware is a type of computer malware that uses encryption as its weapon. There are several different types of ransomware. Some variants target all discoverable files and data, like Word documents, spreadsheets, PDFs, etc., others may encrypt the entire hard drive and certain variants freeze the Web browser to make the computer unusable. In addition, it’s also possible for them to hijack the computer’s boot-up process. There are millions of different ransomware variants out in the wild, but they all have the same goal-lock the targeted company out of its computers and data until it agrees to pay a hefty ransom.

In many instances, it will not be possible for the victim to remove the ransomware infection without overwriting the hard drive and losing its data. As a result, companies are often forced to pay the ransom in order to regain access to that data. The value of the ransom demand can vary widely, from tens of thousands to millions of dollars.

Ransomware has been around for many years. In the past the malware itself was less sophisticated and it tended to be geographically limited to Russia and Eastern Europe; that has changed considerably. Ransomware’s highly successful business model has made it extremely popular with criminal groups the world over, especially among developed countries. The U.S. is now the No. 1 most targeted nation for ransomware attacks, comprising 38 percent of all file encryption ransomware and 52 percent of all locked screen ransomware, according to Symantec. Eleven of the 12 worst countries for ransomware infections are now in the G20. In addition, many established criminal groups, like the notorious “Dridex botnet” gang, which once dominated the banking malware field, are now switching to ransomware.

How Are You Infected?

The two most common ways for a company to get infected are “phishing” emails and “drive-by download” Web attacks.

By now, most companies are aware of phishing emails, but it’s important to not underestimate this threat. Power companies in particular should expect to be targeted by more sophisticated phishing campaigns, which may “spoof” an executive or employee email address to make it seem like a legitimate message.

Criminals may also do research on the company and its employees to further improve the email’s chances of success. They may use urgent appeals, like past due invoices, to trigger an emotional response among employees, getting them to “click before they think.”

Typically, hackers will use an attached file, such as a Word document, spreadsheet, etc., to infect the employee’s computer when opened. They may also embed a URL in the body of the email that will redirect the employee to a malicious website.

This leads to the second method of ransomware infections-drive-by attacks. A “drive-by” is basically a stealthy download of a malicious file to a computer, where the victim doesn’t suspect a thing. Hackers will seek out legitimate websites with poor security and install malicious code on the site that will infect anyone who lands on the page. It’s becoming increasingly common, especially among more sophisticated groups, for hackers to seek out websites that are popular within a specific industry. For instance, it might be an industry forum, vendor or government agency website. Hackers call this a “watering hole” attack.

Hackers also might exploit vulnerabilities in the company’s network to infect it with ransomware, or use pre-existing malware infections to remotely install ransomware into the company’s computer system.

Once ransomware establishes itself on an employee’s computer, it will look for other pathways on the network by which it can spread itself to additional computers, servers and equipment.

How Does Ransomware Impact Operations?

To date, ransomware infections in the energy sector have been limited to office-based networks. The impact, therefore, has been on administrative functions, like email, accounting, logistics management, etc., and not on the actual industrial control systems (ICS) for power generation or distribution.

Electric facility operators need to keep a few things in mind, however. First, even if the infection is limited to “only” the office network, it can result in a serious and costly disruption of operations and services. It also poses additional safety and security threats, because the network must be shut down, making it more difficult to properly monitor the ICS.

Security firms also remain concerned that ransomware will eventually invade the ICS/SCADA environments, affecting actual power generation and distribution operations, with obviously dramatic consequences. Because it is extremely difficult, dangerous and expensive to replace or rebuild live ICS/SCADA systems, this type of event would be catastrophic for any operator.

In addition, given the growing popularity of ransomware, it is likely that at some point this attack will be used by a criminal or activist group for whom money is not a motive. This is an equally frightening scenario, as it could shut down a utility’s main operations for an indefinite period of time, as well as result in a permanent loss of critical data.

Security Recommendations

Utilities need to take several steps to ensure their networks are prepared for the ransomware threat.

Reduce the risk of exposure

“- Install email whitelisting programs and “script-blocking” browser plugins on all employee computers.

“- Train employees in basic security awareness, particularly with regard to phishing emails.

“- Make sure all computers and servers are regularly updated with the latest software and security patches.

“- Use robust malware-detection programs with anti-phishing support and a modern firewall.

“- Prevent the use of thumb-drives and other external devices or media from being connected to office machines.

Duplicate data

“- Conduct regular data backups to external hard drives and/or cloud-based accounts.

“- When using physical storage devices, make sure they do not remain connected to the network except when performing the actual backup, as they too can become infected.

“- Use cloud-based storage for certain types of data, as this will provide an additional level of assurance for full recovery. (Data backups are the most important element of a ransomware defense. Even if the system becomes infected, the company can resume normal operations by replacing equipment.)

Divide and isolate

“- Segment the office network as much as possible to make it harder for malware to spread from an infected machine.

“- Air-gap all sensitive systems and industrial control processes from the office network.

Fast response

“- Use network monitoring tools like security information and event management (SIEM) or intrusion detection/prevention systems (IDS/IPS) to detect malicious activity quickly.

“- In the event of ransomware, shut down the network immediately and contact an incident response (IR) team with ransomware experience. Certain ransomware variants can be decrypted and removed from a network without jeopardizing the data. An experienced IR team can make that determination.

Ransom payment

“- In the event that an attack succeeds and the ransomware cannot be removed, utilities must make a tough choice. If the company has lost access to critical data or systems that it must have to operate, it will probably have to pay the ransom. Keep in mind, of course, that you’re dealing with criminals-they may not honor their promise to remove the ransomware or they may re-infect the network again soon afterward.

“- Use a cybersecurity specialist to negotiate with the criminals and to facilitate the payment (often done using Bitcoin), if necessary.


Ransomware poses a complex and growing threat to the power industry and must be prioritized in the security planning process. It’s important for operators to focus equally on prevention and post-breach defense in order to limit the potential for damage. Although this attack can be challenging to defend against, it is possible with the right “defense-in-depth” approach in place. Operators are encouraged to consult with cybersecurity specialists ahead of time to plan out all contingencies for this type of event.

Jason Glassberg is co-founder of Casaba Security, a cybersecurity firm specializing in white hat hacking, vulnerability detection and security policy development. The company advises critical infrastructure companies, in addition to financial services, technology and government entities. Learn more at

Previous articleProtecting Aging Substations From Cyberattacks
Next articleThe Cloud in the Field is Taking Utilities by Storm

No posts to display