It Happened to Us: An Anonymous First-Hand Account of a Ransomware Attack (Part 2)

It’s time. Here’s the second, and final, installment of the exclusive interview Predatar conducted with a victim of a business-targeted ransomware attack.

Investigating the Breach

‘We had very understanding clients. It was established at a very early stage that there was no desire to publicise any of this information. But generally, we had to be careful about what we were saying. We couldn’t say anything that wasn’t definitely true, or anything that needed to be kept confidential.’

‘In our investigations, we realised that the cyber-attackers had been in our systems for several weeks, via a password breach. By tracing their actions, we were luckily able to identify that it was very fortunately, a very small portion of data that they had been able to access.’

person using laptop

 

We talk about this a lot over here at Predatar HQ regarding cyber resilient backups. Sure, you think you’ve got immutable backups. You might even have gold standard encryption. But how can you be sure that your backups aren’t brimming with dormant ransomware that you just haven’t noticed yet? Dormant ransomware is a threat to any business. It can sit in your systems indefinitely, gathering information until the cyber-criminals are ready to act.

 

Negotiating

‘It was a really challenging period of time. We were having crisis calls twice a day, and sometimes it would be every hour or two. We established that the cyber attackers were also overseas, meaning it made quite a difference to the timescales. We actually had to contact them through an address on the dark web, which our business knew very little about, so the experts told us how to operate in that space.’

‘After negotiating, we eventually agreed with them to pay a very small fraction of what they had asked for in Bitcoin. Which the experts told us is completely untraceable. We tested them by staging four different payments over a week or so to ensure that each time, they gave us a specific bit of data back. Our negotiator pushed the cyber-criminals to the edge of what was acceptable to them. There were a few times where they said they were going to release the data.’

 

The Aftermath

‘You could say we were lucky. We did get proof of all of our data back, and we already had a backup copy of the data anyway. A few months prior to the event, we’d actually made some changes into tightening up the security of our backup and recovery procedures and that helped a great deal. I’m glad we did that. However, not all of the data was completely up to date, so that still did pose an issue. It wasn’t perfect. But the main issue was a lack of accessibility for our clients; they couldn’t work in a normal way.’

Nowadays, even if a company has a seemingly usable backup in the event of a ransomware attack, there’s no guarantee that the backup itself will recover. And even if it does recover, there’s no certainty that it, too, isn’t infected with dormant ransomware. But that’s where companies like Predatar come in.

‘The whole experience was deeply unpleasant. Nobody wants to pay an attacker anything, but the advice from all of those experts was that it’s typically better to pay something until you’re forced to pay a higher amount.’

It’s almost impossible to estimate the actual cost that ransomware attacks have on a business. The total sum is not just the ransom paid. Businesses will start haemorrhaging money in various ways during a cyber-attack. This can be anything from time lost on major projects to not being able to generate a healthy profit without full functionality and use of data. There can also be a huge knock-on effect to future ventures, including damage to partnerships and client relationships.

 

silver round coin on black leather case

 

So…what now?

After hearing this story, the first thing that crossed our minds, and that has probably crossed your own mind as you’ve been reading this article, is “how can we be prepared for disasters like this?” So, we’ve asked some questions and gotten some answers for you. Here are the top five tips we picked up from this case:

  1. Have a plan of who you can go to as an advisor in this scenario. You will need a set of experts who can offer you insurance. They will also know the lingo and they’ll be able to understand the personalities, behaviours, and personas of certain cyber-attack gangs.
  2. Understand the process of reporting the incident to the authorities, and how that process can help or even hinder a time sensitive cyber-attack.
  3. Hire a negotiator. If this is an option available to your business, don’t skip it out. The experience with a negotiator can be, as our source described, deeply uncomfortable. Without a safety gap between your business and the cyber-attackers, you’re essentially dealing with intelligent criminals with no experience of that.
  4. Look after your employees. It’s a very disturbing experience, and the well-being of your employees is extremely important throughout. Some employees will be on a need-to-know basis, whereas others will need more of an understanding.
  5. Test your backups, then test them again. And then test them again after that.

We hope that this has been eye-opening read for you, and that- like us – it has given you some useful insight on the importance of having cyber-resilient processes in place.