When the message to upgrade Abode Flash appeared on the computer screen of a veteran customer service representative, it was the start of a routine Monday in late August. There were all the regular e-mails to get to and drop-box payments from the weekend to process.
Then all heck broke loose.
“It was an innocent mistake of clicking on an upgrade that let it in behind the firewall,” says Chad Waldow, general manager at Stanton County Public Power District (PPD) in Nebraska.
That single, errant click opened the door to a type of malicious code called ransomware, which systematically traverses every accessible file on a network and locks it down with encryption software.
“It encrypted all those files [that the employee had access to],” Waldow says. “It also destroyed all our shadow copies kept on our server, so we were not able to retrieve the data that was encrypted.”
To de-encrypt the files, the cyber criminal offers to provide a key, but at a cost. Companies have spent tens of thousands of dollars regaining access to their files. Whole networks and servers can become encrypted, even files in the cloud.
The recent proliferation and diversification of these insidious network attacks led cybersecurity experts in multiple IT publications to proclaim 2016 “The Year of Ransomware.” FBI data shows a steady upward trend of attacks beginning in 2015 and continuing through 2016. Numbers are not yet available for the amount paid in cyber ransoms last year, but it’s sure to exceed the $24 million reported in 2015.
Waldow says what makes ransomware so diabolical is its ability to go undetected until the damage is done.
“Anti-virus alerted us with an on-screen notification of an infected file,” he recalls. “IT checked into it and could not find an infected file, so we didn’t believe there to be an issue. It’s very good at disguising itself.”
It was about an hour or so after the initial click that IT officials at the PPD learned something was wrong when another employee reported missing files.
“She clicked on a file, and it was like there was no file there at all,” Waldow recalls. “It took over very quickly and came to an end when it got to everything it could.”
Once the intrusion was discovered, an IT specialist removed the infected computer from the network and replaced all the network files from a backup drive, a task that consumed the full workday. The infected computer was then wiped, and Windows was reloaded before putting it back on the network.
“We were able to do a full recovery from tape backup drives from the night before,” he says. “We typically back up every night. We were up and running the next day.”
Waldow says Stanton County PPD was careful to ensure its billing system runs on an independent off-site server, so no billing or personal information was compromised in the attack.
Still, he says at the time, he was “surprised” that his 3,000-meter utility with 15 staff in quiet northeast Nebraska was targeted. He knows now that no business is immune, regardless of size.
“We kept hearing stories about ransomware, [but] we kept them in the back of our mind,” Waldow says. “We didn’t think it would ever happen to us.”
It’s a common misconception.
In mid-March, another Nebraska PPD saw one of its small commercial account members hit so hard by ransomware that the parties sifted through its ramifications for days.
The ransomware encrypted the business’s entire network.
“They believed by having some of their data on two different clouds that they were protected,” says Tim Lindahl, general manager of Wheat Belt PPD in Sidney, Neb., which serves another 661 commercial members. “However, the infection was able to lock their cloud data as well as their online backups.”
The ransom was set at a staggering $250,000, to be paid in the hard-to-trace internet currency bitcoin. The business owner wanted to pay, but the FBI advised against it, saying it was likely they wouldn’t get all their data back anyway, and that the hackers would continue to demand more money.
An ongoing FBI forensics investigation forced the business to cease operations indefinitely. Business documentation was lost, meaning the company will miss scheduled obligations.
“That could and probably will cause them to lose their customers temporarily, if not permanently,” Lindahl says. “One of the implications to us is a possible loss of a customer-member.”
The affected company does have an IT staff, Lindahl adds, “which is better than most small businesses and cooperatives. But as they found out, that was not enough to keep them protected.”
‘They’re Winning the Game’
Marc Child, an information security program manager at Great River Energy, the Maple Grove, Minn.-based G&T, says the sophistication of malicious code and the ease of starting a ransomware enterprise puts targeted businesses at a disadvantage.
“It’s incredibly easy to get into this business,” he says, noting that the upfront investment for buying “off-the-shelf” ransomware platforms can be as little as $400. “Ransomware authors are really, really good at what they do. They’re winning the game right now.”
Philip Huff, director of IT security and compliance for Arkansas Electric Cooperative Corp. (AECC), the G&T in Little Rock, says combatting ransomware is “part of doing business today.”
He likens the criminal enterprise to an internet start-up.
“Like a business, the cybercriminals invest research dollars and find better ways to extort people,” he says. “Whatever income they’re getting through ransomware is going into their research and development fund.”
AECC had a ransomware incident about three years ago when an employee clicked on a malicious e-mail link that appeared to be from UPS regarding a delivery update. After the click, a message appeared on the screen informing the user that their files were encrypted and offering to unlock them for a $700 ransom, Huff recalls.
The employee called IT staff, which disconnected the infected computer from the network and identified which files were encrypted and which of these had not been backed up. AECC recovered the bulk of the files and did not pay the ransom.
“Most of the co-ops I’ve talked to have not paid ransom,” Huff says. “There is a risk to paying. You might not get what you want back. But there’s also a risk to not paying. Companies have to make the best decision for the business.”
What’s a Co-op to Do?
In southern Mississippi, Coast Electric Power Association has been building cyber defenses for nearly a decade, and they have so far avoided a ransomware incident.
“I always tell my people, when it comes to cybersecurity, there’s no guarantee that you’re safe,” says Scott Verdegan, information systems director for the Kiln-based co-op. “Anybody can get around cybersecurity. You want to make yourself less of a target.”
An informal poll of the electric co-op IT community last June showed that co-ops were experiencing ransomware incidents at about the same rate as the small-business community in general. Nearly all of those surveyed said their co-op has taken action to defend against malware.
Verdegan knocks on wood and credits his co-op’s security success to a robust, multi-layered program that includes an array of industry best practices.
GRE’s Child suggests co-ops ensure their backup technology is isolated from their main network. “If your backup files are reachable from one site to another, then the bad guys can reach them too,” he says.
Huff at AECC stressed good content management to protect critical files immediately in the event of an attack.
Verdegan and other co-op IT leaders also agree that cybersecurity deserves a full-time staffer.
“In the co-op world, we all wear multiple hats,” he says. “But cybersecurity has gotten so complicated and ever-changing that you need someone to be on top of it all the time.”
When things go wrong and a successful attack occurs, the next best thing is good insurance coverage. The ransomware trend has led to a dramatic increase in cybersecurity policies taken out by co-ops big and small, says Bill West, vice president of underwriting at Federated Rural Electric Insurance Exchange (Federated). To date, about 75 percent of all electric co-ops have purchased some amount of cyber insurance.
He says that number reflects well on how seriously co-ops are taking the threat, noting that only about 40 to 45 percent of other businesses have taken cyber insurance.
“Ransomware is the most proliferative cyber incident we’re seeing right now,” he says. “The co-ops are being pretty diligent about protecting themselves and educating themselves. We have not seen any big losses as a result.”
West says the average cost of a ransomware event is about $7,500, which can include hiring IT specialists to restore files, beefing up security, having experts conduct penetration tests, and putting together an incident-response plan. Federated’s policy covers cyber extortion, including the cost of the ransom and the cost of restoring encrypted data.
Still, he says, there is work to do to make sure rural co-ops know they are indeed in the crosshairs of cyber extorters.
“The average co-op doesn’t feel they’re vulnerable at all,” he says. “They really think they’re too small, too isolated for anyone to pay attention to.”
But today’s hacker, West notes, “is not a 14-year-old in someone’s basement. It’s an automated bot network. They don’t discriminate; they pick on everyone.”
Secret Weapon: Collaboration
Jacek Szamrej devoted 13 years to building cyber defenses at Vermont Electric Cooperative before joining SEDC (NRECA Service Member) in Atlanta as its cybersecurity vice president in 2016. From his vantage point, the cooperative spirit is a key defense.
“Working together—electric utilities, NRECA, and vendors—we can improve cybersecurity defense,” he says. “The bad guys are collaborating; we need to collaborate too.”
To that end, cybersecurity is a frequent topic at NRECA meetings, conferences, and training programs; several statewides hold regular cybersecurity briefings to discuss the latest threats and defenses; and some distribution co-ops are even organizing state and regional IT security events.
NRECA’s Business and Technology Strategies unit, in partnership with the U.S. Department of Energy, is developing a cutting-edge network security tool for commercial distribution. (See ‘A Bigger Net’ sidebar.) And NRECA, associate members, and some statewide associations and G&Ts are providing volume licensing and discounts on software tools and firewall management services to reduce cybersecurity costs for co-ops.
“There’s strength in numbers,” says AECC’s Huff, emphasizing the financial impact of working together on trainings and software. “We are able to pool numbers together to get better discounts on products and services. Also, monthly web conferences keep us engaged and provide opportunities to learn from each other.”
For Waldow at Stanton County PPD, keeping dialogue flowing will help co-ops stay on top of threats.
“I think others can learn from what we had happen to us, and hopefully, together, we can defend ourselves,” he says. “But it’s an ongoing battle. I don’t think we’ll ever win. You’re just constantly going to be addressing it and defending yourself.”