This is a true story of a small company that got ransomware. We'll tell you how it happened, and what choices the company ultimately made. Then, we'll explore the question, "was there a better way?"
"Hey, You're Under Attack."
At approximately 10:30 pm on a Saturday, a coworker received an email informing them that they were under attack. Their instinct told them something about the email didn't seem right, so they forwarded the message to their IT person.
A few minutes later they received a reply from IT that made their heart sink. The message and threat was very real.
Check the Other PCs.
The coworker informed the company's CFO. It was late on a Saturday, but if the message was indeed real ransomware, there was no time to waste. They checked the other company computers.
All of the computers on the network were down and a few contained a new lock screen telling them not to try and activate the computers--they were now under the hacker's control. Then, there was a number where the company could contact their attacker.
Getting Insurance Involved.
The company decided to contact their insurance provider to get some advice before contacting the hackers. They knew they would have only one chance to make this right, so they didn't want to make a mistake.
The insurance company agreed to help them get in touch with the hackers. After getting IT and insurance together, they reviewed what information might potentially be in the bad guy's hands, they were relieved to discover that no proprietary company info or customer personal information was accessible by the infected computers--a lucky break.
Though the exposed data could have been worse, business had completely stopped as a result of the devices being locked down. Everyone in the office was dependent on their computers in order to get any work done. Every hour that business was paralyzed, money was being lost.
The company decided to reach out to the hackers to make a deal before all the employees came back into the office on Monday.
24 Hours Later.
The company (via their insurance provider) went back and forth with the hackers all day Sunday in tense, but productive negotiations. The company was startled to learn that the hackers were very open to negotiate terms and treated this like any other business deal.
After talking the hackers down from their original demand of $400,000, the company agreed to pay $150,000 in ransom to get their computers unlocked.
The agreement was finalized Monday morning.
No Satisfying Answers.
The hackers never told the company why they were targeted, or the details of how they got in. The only thing they offered was evidence that they had successfully unlocked other company's devices (and could therefore be trusted) once the ransom was paid.
IT had set the network up in fairly good shape--despite a few upgrades to software still needing to be made. The most likely cause of the ransomware spreading was that one of the employees had clicked a malicious link inside of an email.
The hackers tried to make the company feel that they had been lucky that they were getting their information back--they reminded the company that other hackers either refuse or are unable to return data, even after receiving payment.
To prove that they were "good" criminals they even gave the company a 1-800 number to call in case they had any trouble accessing files after the lockout had been lifted! Imagine having a help desk to the hackers who are extorting money from you.
The hackers demanded to be paid in Bitcoin. No one inside the small business had experience with Bitcoin transactions of that size, so the company had no choice in this scenario but to contact a third-party Bitcoin broker who could assist with the transfer the funds.
This was an additional fee to the already lost ransom money.
Eventually, the funds went through, the computers were unlocked, and the company had learned a very stressful and expensive lesson--being at the mercy of a business-like hacker group is only ever one click away!
To recap this true story that was first reported by TechRepublic let's review the details:
- The most likely cause of the ransomware being activated was an employee clicking a suspicious link.
- While the small business didn't have the most sophisticated cybersecurity, even the hackers admitted that their network was in pretty good shape. Human error was needed to gain access.
- Once the computers were locked, internal IT was very limited in what they could do to remedy the situation.
- The targeting of this small business appeared to be random. The hackers probably sent the same ransomware attempts to hundreds-perhaps thousands of businesses. This small business was just one of the victims who clicked.
- There were additional costs than just paying the ransom, third-parties were needed to handle the negotiation and payment properly.
- The fallout from this would have been even worse had any customer's personal information been exposed. This type of attack is especially damaging to the healthcare and financial industries.
What Could Have Been Done Differently?
This small business probably never thought that their company could be the target of a ransomware attack. That's where they made their first mistake.
Had they taken the proactive approach to planning for an attack, they probably would have been running a more thorough cybersecurity solution with ransomware protection, like SentinelOne. Then, they would have even had a Ransomware warranty up to one million dollars.
This company's IT support was provided by the husband of one of the company's employees. They should have leveraged an experienced outsourced IT partner before becoming a victim.
They could have been provided with 24/7 risk monitoring and realistic phishing tests to keep employees educated on what threats coming in look like. Cybersecurity education has been shown to improve employee awareness and lower the risk of them clicking on links that can harm the company network. The cost of on-going protection for a company of this size would have been much less than they had to pay as a ransom in one large chunk.
This is another reminder that every size business today should have cloud backups. That way, there's a secure usable copy of any data that falls into the wrong hands. They could have bought themselves more time or even told the hackers to hit the road if employees had access to backup cloud data in order to start working again.
This company did the best they could to unlock their computers and limit bad PR. However, if they had been more proactive before they were targeted, they probably could have avoided ever having to pay a ransom in the first place.
Hopefully, other small businesses will hear their story and take the right steps now to avoid being the next victim.
Does your small business use Microsoft software? If so, contact us to see how you can get best-in-class ransomware protection that doesn't break the bank.