Getty Images/iStockphoto

Ransomware disrupts utilities, infrastructure in January

Ransomware attacks last month caused outages and disruptions at public sector and critical infrastructure organizations as well as a major financial services firm.

Ransomware disrupted important U.S.-based utilities and services organizations in January, including a municipal water treatment organization, which is a sector that's become a growing target for attackers.

The persistent ransomware threat continued last month following what many cybersecurity vendors and threat reports called a record year for ransomware in 2023. New victims emerged last month, but many of the targeted sectors and industries remained consistent from last year.

Throughout January, ransomware impeded operations for victims in the government and critical infrastructure sectors, including water and wastewater treatment services. Last month, CISA published an incident response guide for water utilities warning that attacks "could cause cascading impacts across critical infrastructure." The guide also confirmed that the sector has already been hit by ransomware in recent years.

On Jan. 19, Boston-based Veolia North America disclosed that ransomware had hit its municipal water division the previous week, affecting "some software applications and systems." In response to the attack, Veolia took its internal back-end systems offline, which disrupted customer access to the billing system. The water utilities company operates in 550 communities across North America.

As of Jan. 19, Veolia said there was "no evidence" that the attack affected its water or wastewater treatment operations. However, the company said the personal information of a "limited number of individuals" was stolen. An investigation into the attack remains ongoing, and the incident forced Veolia to reexamine its cybersecurity posture.

"We are partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take to help prevent incidents of this kind in the future. We are putting our full resources behind these efforts," Veolia wrote in the statement.

There were more public sector utilities and services disrupted last month. A ransomware attack on Jan. 21 against Bucks County in Pennsylvania temporarily disrupted the county's emergency communications database. The Akira ransomware group claimed responsibility for the attack, which rendered Bucks County's computer-aided dispatch (CAD) system inoperable for nine days. Law enforcement agencies, the fire department and ambulance services use the tool to record incident data, but the attack forced them to revert to pen and paper. Around 650,000 residents live in Bucks County and were able to make 911 calls despite the attack, but fallout was still substantial.

On Feb. 7, the Bucks County Board of Commissioners approved contracts with cybersecurity forensic and legal firms and issued a Declaration of Disaster Emergency to help with restoration efforts. While CAD is now functional, the Board of Commissioners said the system requires additional rebuilding.

"The County did not engage in negotiations with those claiming responsibility for the attack, nor did it pay any ransom to restore functionality to its systems. Rather, the County's IT and Emergency Communications departments' meticulous cyber maintenance and backup practices were key to the system's quick restoration," Bucks County wrote in the statement.

The Medusa ransomware group, which was highly active throughout 2023, claimed responsibility for an attack against the Kansas City Area Transportation Authority (KCATA) that occurred on Jan. 23. KCATA disclosed the attack on Jan. 24 and confirmed that it disrupted the regional RideKC call centers and landline service. However, transportation services remained operational. Customers looking to schedule a trip were redirected to new phone numbers while KCATA worked "around the clock" to restore systems. KCATA engaged the FBI and security professionals following the ransomware attack.

Medusa's public data leak site also listed Denver-based nonprofit Water for People, which provides drinking water and sanitation services to communities in nine countries around the world. A Water for People spokesperson told cybersecurity news outlet The Record that the affected data predated 2021, and more importantly, the attack did not disrupt business operations.

U.S. government agencies have issued multiple advisories of increasing threats against critical infrastructure organizations. Earlier this month, CISA, the National Security Agency and the FBI warned that a Chinese nation-state threat actor known as Volt Typhoon had compromised organizations in the communications, energy, transportation systems, and water and wastewater sectors. U.S. agencies also confirmed that the threat actor has been hiding in some victims' IT environments for at least five years to maintain access in preparation for any major conflict that could arise with the U.S.

Education, financial services also hit

Ransomware did not spare the education sector last month. One particularly damaging attack occurred against Clackamas Community College in Oregon, which has an enrollment of more than 18,000 students. The Clackamas Print reported that authorities traced the attack to a Russian IP address.

In a Facebook post on Jan. 21, Clackamas revealed that the incident began on Jan. 19 and shuttered online services, including its website, internal systems and ability to disburse financial aid. Because online services were affected, Clackamas canceled two days of classes, and teachers were instructed to push back assignment due dates for at least five days. The attack also coincided with the last day to drop winter classes, so that deadline was delayed.

As of Feb. 12, some websites were restored. In response to the attack, students were asked to reset their passwords. The infamous LockBit ransomware group claimed responsibility for the attack on its public data leak site.

One of the biggest attacks in January hit an enterprise in the financial sector. California-based mortgage lender LoanDepot disclosed an attack on Jan. 8 in a Securities and Exchange Commission filing, in which the company said the attack "included access to certain Company systems and the encryption of data."

In a press release on Jan. 22, LoanDepot said it forced systems offline to contain the incident, but doing so disrupted and delayed many customer portals used for services and payments. LoanDepot also said it was still working to restore all services and that the attack affected a significant number of customers.

"Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems," LoanDepot wrote.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Next Steps

CISA: Akira ransomware extorted $42M from 250+ victims

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing