The CFO of a small company that was the victim of a ransomware attack and reveals why they paid the ransom (in Bitcoin) to gain back control of their systems.
TechRepublic’s Karen Roby talked with the CFO of a small company in Kentucky that fell victim to a ransomware attack. The following is an edited transcript of their conversation.
Karen Roby: Ransomware attacks are on the rise, and more companies are opting to pay the criminals. We interviewed the CFO of a small company that was the victim of a ransomware attack, and we’ll be referring to him only by his first name. His company chose not to get authorities involved given the value that was at stake, and the company’s immediate need to gain back control of its network. We’re hoping his first-hand account will help you better understand what these types of ransomware attacks look like and give you an idea of how to better protect your own organization.
Jason: It’s definitely been a new experience for a small company like ours. We’re just eight PCs in a building that never thought something like this would even be possible but we found out late on a Saturday night, my coworker got an email saying that, “Hey, you’re under attack,” and she didn’t think it smelled right. Her husband’s in IT as well so we sent that to our contact in IT, a company that we use, and he said, “Yes, this is very real.” And immediately your heart sinks because it’s 10:30 on a Saturday night and you’re like, “Excuse me, what? We’re under attack, what are you talking about?”
Just unthinkable. But we would manage our channels with our insurance company and immediately took a look and sure enough, all the PCs were locked down with a ransom note on some of them.
Karen Roby: So what did the note say, specifically, or what were the demands?
Jason: All it really said on the initial lockdown screen is basically do not try to activate your computer, we have it under control. Please contact us and there was a number, which was interesting. So, we knew something was very wrong at that point. Our IT contact said, “These guys are very real. We need to get your insurance company involved and get a strategy before we even think about trying to talk to these guys because we want to make sure we have all our ducks in a row because we got to do this right the first time.” A lot of times apparently, as we learned through this process, they don’t always give you a second bite at the apple, so you want to make sure you ask for everything at once.
Karen Roby: Talk a little bit about what happened once the insurance company got involved, and did you guys alert authorities?
Jason: Well, the first thing we thought about is at least we’re glad we’re not a proprietary type of situation, healthcare, things like that where people’s personal information, proprietary, designs, et cetera, things like that could get out and possibly damage people, which is the first thing they mentioned to us, as you said, the third party that we spoke to that were acting as our agent between us and the hackers. They said, “This is strange. You don’t really have anything they can hold over your head other than just stopping your business.” But we engaged them quickly. Ironically, they worked straight through on a Sunday to help us and by Monday morning we were in full agreement, and they began the conversation with the hacker group to see what we could get done.
And that’s the thing is for the first time, you look at yourself and go, “Wow, we are totally reliant on our systems.” Luckily our machinery in the plant isn’t connected to our network, but all the processes you use to tell that machine how to work are now a black screen and you can’t do anything, and you find out very quickly that 25 men and women out in the plant that are used to being very good at their jobs are held, with no ability to do their jobs because they don’t even remember how to do it without that computer. And yeah, at that point we just circled around and said, “This isn’t a matter of do we pay them? It’s a matter of how do we pay them?” Because if we don’t pay them, we don’t have a way out of this, and business just stops, so it’s quite a scary situation.
Karen Roby: When it came down to it Jason, how much did you all have to pay them to get back control of your systems?
Jason: Painfully, $150,000. Their initial demand was $400,000. And from what we were told, this group rarely attacks small companies because their initial demands are usually in the $1 million to $10 million range. So, coming after us or for a half of their normal amount that they typically request just adds to the fact of, why us?
Karen Roby: Did you learn any information about the criminals behind this?
Jason: They just said that they’re very familiar with them, as sad as that sounds, and the interesting thing they pointed out was you got lucky because this is a group that always does it. If you pay them, they give you your information back. So, if you’re going to get hacked, at least you got hacked by this group, which as sad as that sounds now we were somewhat bizarrely thankful for that. But just in their dealings with this group and I guess through the processes, they look at things like that, they believe Eastern European just the way they’re acting, as far as they can trace the money and then it disappears obviously, but they believe Eastern European.
Karen Roby: The ransom was paid through Bitcoin, correct?
Jason: Right. The third party we contracted to manage the ransom, because of the challenges of sometimes getting the Bitcoin in that kind of volume, they keep a substantial amount of that in their resources. They managed that whole process for us, obviously that could be a challenge if you’re not aware of how to do that and obviously, 32 people in Kentucky don’t typically know how to do that when we’re used to manufacturing, so we were very thankful that they were around.
Karen Roby: I think one of the really crazy things about this is that the criminals actually offered you a 1-800 number to call if you ran into any problems getting your files back once you paid the ransom!
Jason: Yeah. I mean, if anything has made me laugh about this whole situation is that it’s just the selective morality of, “Hey, we know we’ve robbed you of money and your files and held you at our whim, but by the way, we’re here to help 1-800 … .” It’s unbelievable.
Karen Roby: In most cases of ransomware, it seems an employee along the way clicked on a link that allowed the hackers in–was that the case here?
Jason: That’s what they’ve pinpointed in our case is they said, “Look, for a small business of your size, your systems were good and here’s a handful of upgrades you might want to consider but chances are someone in your office just clicked an email.” And, unfortunately, you can send it out weekly if you want to, to say, “Guys, remember don’t do it, but there’s always that one opportunity, and something just looks real, and one click and there you go.”