American Water Ransomware Attack: What Happened and How Critical Industries Can Respond

On October 3, 2024, American Water company was targeted by a ransomware attack that disrupted billing systems for this critical services company. Critical services companies are becoming more of a target for attackers. The impact and nature of critical services make them a lucrative target. Let’s see what happened in the ransomware attack on American Water and what lessons can be learned.

What happened in the ransomware attack on American Water?

American Water is a large provider of water services across the United States. On October 3,2024, they were the focus of a ransomware attack that shut down billing services for the entire company, largely affecting customers. The attack did not take down any of the critical functions of their water services. However, the billing disruption led to much frustration for customers as they couldn’t pay their bills or access their account information. 

American Water acted quickly after learning of the attack on their billing systems and shut down access to systems until the security event could be remediated. It is not entirely known what attack vector was used in the breach. However, in many ransomware attacks, phishing attacks often lead to compromised credentials that can be used to launch the attack. This may very well be the means attackers used in this case.

American Water assured customers they would not be responsible for late fees due to the billing disruptions and that critical water services would not be hindered as systems were recovered.

Who was affected by this attack? 

Focusing a bit more on who were affected by the attack, the billing system for American Water Association was taken offline. Customers were not able to access accounts, pay their bills or resolve any issues that were related to their account information. During this time, customers were faced with the frustration of not being able to gain access to their account information or even pay bills on time.

American Water tried to offset some of this frustration and worry for customers by assuring them they would not have late fees as a result of being unable to pay their bill on time due to the disruption. In addition, it raised the anxiety of customers as to the disruption that a ransomware attack can cause, even from a business standpoint, let alone the risk of critical services disruption.

Impact of the Attacks

There were widespread impacts of the attack to note.

Potential Data Breach

A concern for customers and American Water is the possibility of a data breach. Any ransomware attack raises concerns that attackers were able to access and exfiltrate sensitive data. While American Water has not confirmed that sensitive data was breached or exfiltrated, the nature of ransomware attacks lends to this possibility. It leads to concerns over the safety of customer information and personal details. Also, details about American Water infrastructure and other operations could have been exposed.

Billing Suspension

Immediately following the American Water attack, the company’s billing systems were taken down. Customers could not view their account information or pay their bills. This led to immediate frustration for customers trying to carry out their normal online activities with the company. During the disruption, American Water had to manually field customer inquiries and billing concerns.

Potential for lost customer trust

Even though American Water did not have a disruption in providing critical water services, the ransomware attack could certainly have impacted the trust and confidence in their customer base. Ransomware attacks can undermine a sense of trust when critical information or services are disrupted. Customers could question whether companies like American Water are prepared to prevent similar attacks in the future or protect their sensitive data.

Disrupted operations

Regardless of how well an organization reacts to a ransomware attack, inevitably, there is fallout from an attack in terms of disruption to normal business operations. The attack on American Water was no exception. They had a sudden disruption in billing services that caused uncertainty about payments, late fees, and other customer concerns. 

Customers were also worried about the potential for disruption in the public utility services the company provided. Although this didn’t happen in the long run, the concern was real and the potential for disruption even outside of billing or other business systems is a real possibility.

It helps to emphasize the potential chaos that even minor disruptions can bring to public utilities and critical services companies.

Why Are Critical Service Industries Targeted?

Ransomware gangs are looking to cause the most damage with the least amount of effort, in the shortest amount of time. Critical services include the areas of water, power, fuel, and other utilities. These are quickly becoming a major target for hackers looking to cause disruption.

Here are a few reasons why:

1. High profile and high stakes – When critical services are disrupted, it doesn’t take long for the news to travel quickly. These types of disruptions can have far reaching impacts and lead to customers in certain areas not having the necessities needed. Disrupting water, power, or healthcare services can pressure these critical services organizations into paying high ransoms to avoid risks to public safety or significant downtime.
2. Legacy infrastructure – Many utility organizations operate using legacy infrastructure that is much less secure to the risk of cyber threats. Old equipment and infrastructure may have vulnerable protocols, hardware, and software. With utility companies going through a digital transformation that has brought many benefits, it has increased the risk of cyber attacks. Connecting old infrastructure to the Internet and public networks without security upgrades can be a recipe for disaster.
3. Limited cybersecurity budgets – Many organizations that operate in the critical services sector often have limited budget outlay for cybersecurity upgrades. Other initiatives and priorities often win out when it comes to fiscal investments. In fact, many public service providers don’t have dedicated cybersecurity teams or funding for needs like threat monitoring and advanced cybersecurity defenses.
4. Sensitive data – Due to the nature of their business, utility companies also house sensitive data about their customers, including demographics, payment details, banking information, and many others. These types of data are extremely valuable to attackers who can easily sell the information on the dark web.

By understanding these key motivations organizations can work on developing a proactive approach to their cybersecurity initiatives.

Lessons learned

There are key takeaways for organizations looking to learn from the American Water and other attacks. Note the following lessons learned and strategies businesses can use to bolster their defenses.

1. Network segmentation and perimeter defenses – While these are not enough in themselves, they are still valuable and critical first layers of defense from attack. Protecting sensitive data needs strong perimeter protections, like firewalls, Intrusion Detection Systems (IDS), Web Application Firewalls (WAFs), and others. Network segmentation is a basic, but very important design to implement for proper network security. Segmenting your network helps to contain a breach to that segment of the network instead of all areas of network communications, systems, and applications.

2. Multi-Factor Authentication (MFA) is required – MFA is a simple way to increase security exponentially. For businesses that handle critical infrastructure, MFA can help prevent attackers from accessing sensitive systems or data, even if they have a user account and password from phishing.

3. Organizations need regular risk assessments – Organizations need to have regular risk assessments in the environment. Risk assessments allow finding vulnerabilities and risks before attackers do. Doing this frequently helps to understand the risk profile and quick wins in terms of remediating glaring vulnerabilities or other issues. Using risk assessment automation can also be a major help to understand both on-premises and cloud SaaS vulnerabilities.

4. Cybersecurity training – Phishing is still one of the main ways that hackers can compromise a network by getting possession of legitimate credentials. Employee education is a great way to help employees understand how to recognize legitimate email communications vs those that are phishing attempts. Organizations also benefit from simulated phishing exercises that help to reinforce employee awareness of risks.

5. Frequent patching – It is surprising to understand just how many cyberattacks are the result of unpatched vulnerabilities that may have patches available for months or even years. Having good patch monitoring and management can help businesses take control of their patching landscape and keep clients and servers up-to-date. If a server or app can’t be patched, it should be isolated as much as possible and protected with other security defenses.

6. Threat detection with the help of AI – One of the tremendous advantages of AI is the ability to understand anomalous patterns and activities. Using AI tools to detect threats and other cybersecurity events can drastically speed up narrowing in on an attack and remediating the attack as soon as possible.

7. Incident response – Have an incident response plan and automate as much of this as possible. Automation will help to remediate cybersecurity events as quickly and efficiently as possible and it helps to take out the human equation from introducing errors or issues inadvertently.

Spin.AI’s Ransomware Protection

Ransomware is arguably the greatest threat facing business continuity today with large-scale ransomware attacks demanding millions in ransom payments and taking critical data hostage or even leaking it onto the dark web. This threat not only affects on-premises environments but also cloud SaaS environments. Attackers understand that organizations are moving to the cloud in droves and they are following this trend with modern ransomware attacks that can even affect cloud environments.

To protect your cloud SaaS data, Spin.AI’s Ransomware Protection module (SpinRDR) provides an advanced layer of security for cloud environments. It monitors for suspicious activity across your cloud data while capturing critical data in automated backups.

If an attack happens, SpinRDR blocks the source of the attack and begins recovering any affected data. This provides a proactive approach that helps to minimize downtime. It also helps to keep critical services operational and protected.

Spin.AI’s Ransomware Protection Module provides the following:

• Real-Time threat detection: It continually monitors the SaaS environment for any signs of malicious activity, including ransomware.
• Automated backups: SpinRDR backs up your SaaS data with efficient incremental backups so you have a good copy of your data. If an attack happens, data can be quickly restored to a pre-attack state.
• Quick recovery: SpinRDR minimizes downtime by stopping an attack in the very early stages. It reduces downtime and uses effective automation to quickly restore any affected data.

Wrapping up

The American Water ransomware attack is a reminder that no organization, including critical services, are safe. These organizations must be vigilant to the threat of ransomware and other malicious attacks that can steal or leak data to the dark web and disrupt critical services. A strong focus on cybersecurity is needed as legacy critical services infrastructure is connected to the Internet or made accessible to private networks.

Spin.AI’s Ransomware Protection module complements organizations cybersecurity activities by providing a strong defensive layer for SaaS environments that are often connected with on-premises resources. With Spin Ransomware Protection you have ransomware protection 24x7x365 that helps to stop ransomware in its tracks.

Learn more and sign up for a demo here: Request a Demo of SpinOne SaaS Data Protection Platform.