It Happened to Us: An Anonymous First-Hand Account of a Ransomware Attack (Part 1)

What is it Like When your Business is ‘the One it Happens to’?

“It will never happen to our business.”

“What would they want with data like ours?”

“We’re a small business, there’d be no point.”

“We’re too secure. They’d never succeed.”

“We’d know straight away. Our IT team is prepared.”

 

Many businesses are guilty of ascribing themselves to at least one of these blasé statements. You may have even heard them casually uttered by the water cooler, after more dire news has broken about yet another attack on a large corporation. It’s the seemingly mundane trap that many businesses and employees will unwittingly fall into. The ‘it’ll never happen to me’ mentality. And, don’t get us wrong, we’re not saying confidence in your resiliency and security processes is a bad thing. It’s first and foremost necessary. But, too much of it and you’re at risk of being lured into a false sense of guaranteed safety.

This blog is going to be different from what we usually write. In fact, it’s not our story at all really. We’ve been privileged enough to speak to somebody who witnessed the ins and outs of a ransomware attack on their business first-hand. When we first heard this account, we decided it was far too compelling and affecting to not publish it. Far from it being a head on a stick, this first-hand account is a very tangible and frightening experience of how a cyber-attack can affect organisations. So, without further a-do.

 

Alarm Bells

It’s no secret that many ransomware attacks begin in a similar way, with the first sign of trouble being the functionality of employee devices. This can range from slower-than-usual performance to being completely locked out.

‘We were first alerted to a problem when a small number of our clients, namely in the financial sector, alerted us to being locked out of their systems. We were providing the software, and in some cases a hosting environment, to these clients. So, we quickly established that there was a pattern to this problem even though it was a fairly contained number of clients.’

 

 

Data from the CrowdStrike intelligence team showed that throughout the covid-19 pandemic in 2020, ransomware attacks in the financial sector rose by as much as 350%. Between March and May alone, the sector reported over 30 attacks.

‘The first thing we did was to look into what it was, and it didn’t take us long to realise that it was a cyber-attack. At first, our clients assumed that attackers were targeting their business specifically. But of course, we’d noticed this pattern and we established that the clients had been targeted through the hosted systems we were providing them.’

‘We did have some comfort in terms of thinking we could get the data back fairly quickly because we had mirrored the records but there was still some disquiet. And of course, the major issue was that client’s employees could not access their systems.’

When a ransomware attack happens, you typically have two major concerns.

  1. Data.
  2. Business function.

The two ultimately come hand in hand; a business without its data is a headless chicken. Directionless and against the clock. But that’s not to say that some businesses can’t function – albeit with very limited purpose – without data. So, why do we list these two concerns separately? Because often the cause for having to put everything on hold during a ransomware attack, is that systems simply aren’t accessible or are locked because of the nature of the attack. Some businesses get ‘lucky’, like this one, and only some systems are locked out. But other businesses can’t access any of their systems, or any of the systems that are key to their functionality. Take this case for example, where cyber-criminal gang DarkSide encrypted critical data belonging to Colonial Pipeline.

 

The Right People, at the Right Time

‘After the messages came through from the ransomware attackers, we started to look at what we needed to do about it with our crisis team. This team involved various people from across the business, including our own security expert, finance people, legal people and judicial leaders. We then contacted some external security advisors in that space and an insurance company. And the insurance company, realising it was a proper cyber-attack, were helping us to look at reducing the amount of cost implication. So, we were lucky, we had a sophisticated team we could put together quicky. We already had things in place that an average company usually doesn’t have.’

Making Contact

‘The next thing we did was to contact the people that had blocked the systems. We wanted to try and validate from our side who they were, and whether it was a real threat to us, or just a hoax. But all in all, we were in the dark. We weren’t really sure what was coming, not until you’ve got experts involved.’

Luckily for companies that fall victim to ransomware attacks, the industry is now saturated with experts in this field. From experts who deal with the aftermaths of cyber-attacks, to negotiators who will be right with you in the thick of it.

‘There were a number of deadlines presented to us by the attackers, saying that we had to get back to them within a certain time period. We kept holding them off, but never said no. That’s where we had an expert negotiator come in. Of course, we also contacted the authorities but the experts we had told us that the authorities would unlikely be able to do anything meaningful about the attack, before it was too late. The consensus was that we needed to negotiate with the cyber attackers.’

You might be thinking at this stage ‘but that sounds pretty terrifying?’. And you’d be right. At Predatar, we’re a team of experts too. We pride ourselves on our knowledge of things like this, but there’s seldom anything that can prepare you for negotiating with criminals when normally, you’re just doing your day-to-day job. On a slightly more comforting note, we later established with our source that their teams had felt more at ease by having brought in external experts, because it had essentially created a buffer between themselves and the attackers. In short, always have a plan of who you’re gonna call when there’s something strange in your systems. But we’ll talk more about this later.

‘So these experts helped us communicate with the attackers in terms of checking whether they did actually have the data they said they had, and how they planned on releasing it back to us in terms of dis-encrypting it. We wanted to be certain our clients’ data wasn’t going to be permanently compromised.’

 

Stay tuned for part 2, coming soon!