A Michigan-based utility company disclosed this week that it has become the first publicly reported victim of a ransomware attack against a public utility in the U.S. The attack highlights the importance of the ransomware threat for many industry sectors and the need for companies to put in place response plans and defensive measures.
On Monday, April 25, the Lansing Board of Water and Light (“BWL”) announced that its corporate networks had been infected with ransomware, a type of malware that encrypts data on the systems it targets and holds the data hostage until a ransom is paid.1 Upon detecting the intrusion, BWL reportedly initiated a self-imposed lockdown of all corporate networks, shutting down accounting, email, and telephone systems.2 The company reported that no utility functionality was lost as a result of the incident and no customer data was compromised.3
According to the company, the attackers were able to deliver the malware through a phishing email, a typical attack vector for ransomware incidents.4 Phishing, whereby an attacker transmits emails that appear to be from a trustworthy or innocuous sender, delivers malware or redirects a user to a website from which the malware is downloaded, often bypassing basic security measures such as antivirus or firewall software. In this case, reports indicate that a BWL employee unknowingly released the ransomware onto the company’s systems by opening an email with an infected attachment. Email systems at BWL remained offline for over a week.5
In response to the breach, BWL retained cyber-incident response experts to review and evaluate the company’s IT systems and support the return of BWL’s administrative services to full functionality.6 The company is also reportedly working with the Michigan State Police and the FBI to determine the source of the attack.
Although ransomware is only one of a number of cybersecurity threats that are rapidly evolving and proliferating, it has been a lucrative method of attack that, through the use of Bitcoin-based ransom payments, is difficult to investigate and prosecute. Companies should focus on reviewing their information security programs to ensure they are taking the ransomware threat into account. Key mitigation steps include reliable backups of critical data and systems (including, where appropriate, multiple copies of backups to take into consideration newer variants of ransomware that attempt to interfere with or destroy data backups themselves), blocking malicious attachments and websites, and an active training program for employees to sensitize them about the threat.
As with most internet-based attacks, the speed of the attack can be such that a timely and rapid response is essential; these can best be managed though up-to-date incident response plans and pre-emptive work to limit the damage ransomware can cause if an infection occurs. A recommended best practice is for companies to work at the management or Board level with counsel to review their current cybersecurity preparedness and to prepare incident response plans for data and network breaches. Involvement of counsel in managing a post-breach scenario may also help protect legal privileges and company equities in subsequent litigation and can facilitate dialogue with law enforcement.