About an hour before dawn in April 2016, a Lansing utility worker opened an email and clicked on a link.
In an instant, that set loose a computer virus that locked out the Lansing Board of Water & Light accounting and e-mail networks and closed customer helpline phones for two weeks.
Officials later disclosed the cost of that click.
In November of that year, General Manager Dick Peffley said the utility had shelled out a $25,000 ransom to unlock its accounting and communication systems. That was on top of $2.4 million to hire a cyber-emergency response team, crisis management and stabilize and restore its systems. Insurance paid for $1.9 million of that – leaving the utility $500,000 poorer for the attack.
Peffley called the utility’s decision to pay the ransom “distasteful and disgusting, but sadly necessary."
“We paid the ransom demanded by the cyber criminals who attacked our system so that we could unlock our administrative systems," Peffley said.
The Lansing incident was a hint of what was to come, as so-called ransomware attacks have hit local governments and hospital systems in Michigan – and even forced a Battle Creek medical office to close earlier this year. Experts warn more are likely in store, as criminal hackers from around the globe probe for soft spots to exploit.
“It’s a very serious problem for Michigan municipalities,” said Dene Westbrook, internal operations director for the Michigan Municipal League. “They need to be prepared. It’s just going to get worse.”
It’s a very serious problem for Michigan municipalities. They need to be prepared. It’s just going to get worse.”
-- Dene Westbrook, internal operations director, Michigan Municipal League.
Westbrook said cities and other public bodies have become popular targets, because some may not have the budget or staff for robust cyber-security measures.
But she warned that no organization or business is immune.
“Spammers and hackers are sending out boatloads of emails trying to trip you up once. All it takes is once, and they are in.”
Indeed, national experts caution that, if anything, cities can expect more attacks as criminals test the cyberdefenses of towns and businesses. While it’s unknown precisely how many might be vulnerable, a 2019 global survey found that 83 percent of organizations had been hit by “phishing” attacks - phoney email messages that, like the Lansing attack, can penetrate, infect and freeze computer networks.
“The business model for the ransomware operators for the past several years has proved to be successful,” Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, told the New York Times.
“Years of fine-tuning these attacks have emboldened the actors, and you have seen people pay out — and they are going to continue to pay out.”
And that’s despite FBI warnings that meeting ransom demands only encourages more attacks.
Meanwhile, officials at the Michigan Department of Technology, Management and Budget warned that the technology department’s operations budget would be reduced by 23 percent from Gov. Gretchen Whitmer’s recommendation under the GOP budget plan. That includes $2.4 million less for cybersecurity and $7 million less than Whitmer recommended for a public safety communications system, which is used by first responders.
In March, Michigan Attorney General Dana Nessel warned that personal and medical information for more than 600,000 Michigan residents may have been breached in a 2018 ransomware attack on Detroit-based Wolverine Solutions Group. Among those hit by the breach were Blue Cross Blue Shield of Michigan, health insurer Health Alliance Plan, McLaren Health Care, Three Rivers Health in southwestern Michigan and North Ottawa Community Health System in Grand Haven.
Wolverine Solutions Group President Darryl English said the company did not find evidence that vital records were taken. While a web security site said in a report that the firm paid a ransom, no sum was disclosed.
In the murky world of criminal cyber code, the infecting agent in this case appears to be a malware program called Emotet that first surfaced in Europe in 2014 and soon spread to the United States.
As with much ransomware, its attacks often begin with an innocent-looking phishing email – and an invitation to click on an attachment or link. If the recipient takes the bait, that single click launches malware that can worm its way into devices and lock out files with encrypted code throughout the network. Perpetrators typically ask for a ransom to unlock the code.
And cyber experts warn that malware code continues to evolve, posing new threats that could pop up anywhere in the nation. While no one’s sure who’s behind every attack, some have been linked to cyber criminals in Eastern Europe, Russia and China, and state-backed initiatives in North Korea.
Ransomware – what to do
FBI recommendations to guard against cyber attacks
- Make sure employees are aware of ransomware and their critical roles in protecting data
- Back up data regularly and verify the integrity of those backups.
- Secure your backups. Make sure they are not connected to the computers and networks they are backing up.
- Patch operating system, software and firmware on digital devices
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need read-specific information, they don’t need write-access to those files or directories.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations
In Texas, 22 cities were held hostage this summer by a ransomware attack that infiltrated their computer systems and crippled city services including policing. Experts pointed to a new malware strain that was first seen in April named Sodinokibi, which is hard to detect and can elude anti-virus programs.
One analysis called it “The Crown Prince of Ransomware.”
In the spring of 2018, a ransomware attack on Atlanta froze out thousands of city computers and forced police officers to write incident reports by hand. The perpetrators demanded approximately $50,000 in the cryptocurrency known as Bitcoin, a popular choice of cyber criminals because it is hard to trace. The city has repeatedly said it paid no ransom.
Two Iranians were subsequently charged in the attack, which cost the city more than $2.5 million in recovery efforts.
In May, hackers infiltrated Baltimore city computers and demanded about $75,000 in Bitcoin to release the city’s files. That city also refused. Baltimore has spent more than $5 million to bring systems back online, with one estimate of lost revenues and added cost pegged at $18 million.
The healthcare industry in particular can expect increasing assault, because it can ill afford to have its computer network and vital patient records shut down.
“Lives can be a stake,” Scott Shackelford, chair of the Cybersecurity Program at Indiana University, told Bridge Magazine.
“Unfortunately, hackers have figured that out. If you are looking for people to pay out, hospitals can be a pretty good place to start. It just means a target-rich environment for hackers.”
Indeed, beyond the Wolverine Solutions Group attack, health care has been targeted at two other times in Michigan.
In July 2017, a malware attack penetrated the computer system at Caro Community Hospital in the Thumb, freezing out access to desktop and laptop computers at the hospital, a clinic and urgent care center, closing out phones, email services and even patient records.
A ransom note specified a Bitcoin payment of $120,000.
Hospital officials said they declined to pay. Instead, they shut down computers throughout the system, as the hospital turned to paper records, a procedure that workers had practiced in case of an emergency. With its devices and systems backed up remotely, officials said they were able to restore normal functions in a couple weeks.
In this case, hospital CEO Marc Augsburger said, preparation paid off.
“We have a great staff that are very used to moving things over to paper for any kind of a disaster. There are times where we actually practiced that," Augsburger told a local news outlet.
This past April in Battle Creek, a pair of doctors came under ransomware attack, freezing out access to patient records that in many cases dated back years.
The attacker, believed to be from China, sent an email demanding $6,500 to unlock the files.
Dr. William Scalf consulted with his partner, Dr. John Bizon – a GOP state senator – about what to do. They contacted the FBI and were advised there was no assurance their files would be unlocked even if they paid the sum.
Since both were near retirement, they decided to shut down their practice rather than deal with the hacker.
“It was a nightmare,” Scalf said of the ransomware attack.
Local government should be wary as well.
In Genesee County, the county board in August agreed to spend $1.8 million to beef up its aging technology network after a ransomware attack in April compromised parts of the county’s computer network for over a week.
Commission Mark Young called the attack a “rude awakening” that exposed the reality that county computer operations “were behind the times.”
The funds were to be spent upgrading everything from its computer network, data center, information technology security, phone system, and audio and video equipment.
In a memo to the board chief Information Officer Carl Wilson told commissioners nearly all the county’s technology infrastructure “has reached the end of its useful life and is no longer supported by the manufacturers.”
West of Detroit, the City of Westland was more fortunate.
In February of 2018, a worker in this city of about 82,000 fell for a phishing email that set loose ransomware called Cryptolocker. The hackers demanded $25,000 per device to unlock the encryption code.
Craig Brown, who directs the city’s Department of Innovation and Technology, said officials were able to “stop it in its tracks” before the malware got beyond a second device and a connected server.
The city soon restored normal computer functions – and never paid a ransom.
But Brown told Bridge the incident led this city to ramp up both software and hardware security measures and boost computer training for some 300 city workers.
“We got super lucky. If it was a more virulent form of ransomware, it could have gone very, very badly,” Brown said.
In Lansing, city officials learned lessons as well.
In the wake of the 2016 Lansing utility attack, Heather Shawa, the utility’s chief financial officer, said the city added an additional employee to its IT department. She said the department is more vigilant about updating software security patches.
Shawa said its 700 employees now have an icon on the top of their computer screens they can click if they receive a suspect email.
“If they click on it, it removes it from their computer and quarantines it,” she said.
In addition, Shawa said workers now receive refreshment computer training about once a month. The utility also employs a program called knowbe4.com, which regularly sends out pseudo-phishing attacks to test employee vulnerability.
“I would say there is very high awareness of this now,” she said.
Shawa said the utility was fortunate to survive the attack with no interruption in the utility’s power grid. To this day, Shawa said, the utility is unsure who launched the attack.
Shackelford, the Indiana University cybersecurity expert, said there are basic measures any organization or business can undertake to guard against cyber attacks.
He said that includes robust and continually updated software protection, and frequent local and remote backup of all system files so they can be restored if locked out.
He called rigorous training of all employees with computer access “critical” to blocking ransomware attacks.
“Ideally, those emails don’t get through in the first place.”
But he added: “There is no panacea. You can do all that and still not be at 100 percent.”