The Captured Customer - Ransomware
Ransomware attacks happen to businesses of all sizes. Companies in the U.S. paid an estimated $350 million in ransomware in 2020, a 300% increase from 2019. Particularly alarming (even surprising to some) is that small and mid-sized companies make up 50 to 70% of the businesses affected by ransomware.
In fact, small businesses are bearing the brunt of these attacks. Senator Chuck Grassley told the Senate Judiciary's Committee," ransomware does not just affect the deeper pockets of large companies like Colonial Pipeline and JBS." He goes on to say, "small businesses already operate on thin margins, and many have been pushed to the brink by the pandemic."
Here are some notable ransomware attacks among small and mid-sized companies in the United States.
Wright Graphics hit by Ruyn
When Greg Wright, president and CEO of Wright Graphics, first got the news from the information technology department that the company networks were under attack with an active data breach in progress, it was time for action. That was November 2019, the Friday before Thanksgiving.
By the end of the day, managers sent workers home. The data breach, they discovered, was due to the Ruyk ransomware, which had managed to get into their network, encrypt files, and leave ransom notes throughout the system. The ransomware attack had essentially closed their digital connection to the world.
But the breach didn't happen that day in November. Instead, it was a concerted, prolonged, ongoing attack that began three months prior in August. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), like many other ransomware strains, Ryuk is spread through "phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware."
Essentially, cybercriminals deliver the Ryuk ransomware through phishing emails.
And so it went for Wright Global Graphics. They came under attack through a phishing email on an employee's workstation and for three months had cybercriminals acting within their network, gathering data the whole time.
Teamwork in action: Teamwork in every organization is critical, especially when under attack. The team at Wright Global Graphics settled on using face-to-face meetings, handwritten orders, and old-fashioned phone calls to keep the operations moving.
The Ryuk ransomware has netted millions in ransom payments for the attackers over the years. Some of the more prominent targets include:
- The Department of Social Services
- Los Angeles Times
- Chicago Tribune
- Wall Street Journal
- New York Times
But they've also targeted small operations like:
- Jackson County, GA (paid out a $400,000 in ransom)
- Riviera Beach, FL (paid out $594,000 in ransom)
- LaPorte County, IN (paid out $130,000 in ransom)
Offering ransom should be the last solution since the hackers went dark on Wright Global Graphics and the company never got a decryption code.
Data breaches and ransomware vary in terms of complexity and magnitude of infection. Ransomware evolves. In fact, according to HHS.gov, "previous versions of Ryuk could not automatically move laterally through a network," but now experts identified a new version with worm-like capabilities in January 2021 that can "spread copies of itself from device to device without human interaction."
Dive deeper: See what else HHS.gov says about Ruyn variants and why you should still be on guard.
Some IT security systems can give a sense of security since the perceptions that small business attacks don't occur as frequently as they do for large corporations. But this doesn't mean that the security system is without vulnerabilities.
Complex passwords changed regularly, regular backups, and virus protection are not enough to prevent data breaches. Instead, adopt two-factor authentication, a minimum of 12 character passwords, and an external hard drive to store sensitive data.
Spectra Logic hit by NetWalker
In May 2020, Spectra Logic started to get notifications that some of its systems were failing. It didn't take long for the senior IT director, Tony Mendoza, to realize they were under attack since their files were actively being encrypted without their knowledge or direction.
The IT team gathered in the server room to shut down the entire infrastructure by pulling plugs out. By that time, the ransomware attack compromised 75% of the organization. Most employees were working remotely due to COVID-19, making it challenging to communicate.
The hackers, called NetWalker, demanded a $3.6 million ransom paid in Bitcoin.
But they didn't pay up.
Unsurprisingly, the attack originated from a phishing email sent to an employee. Spectra Logic was prepared for such attacks with cyber insurance and offline backup to some of their files. The team also decided to work with the FBI instead of the insurance company.
The FBI assigned Spectra Logic a specialist to handle the case, and immediately, the efforts to recover the network started. Within the next five days, a team of three and two employees worked in shifts day and night in liaison with the cybersecurity specialists, and by the week, restored the network.
From the attack, Spectra Logic learned that:
- Backing up data offline continuously is essential since they could restore their network faster
- Reduce the radius of attack by backing up data in various mediums and locations
- Continuous monitoring of the IT infrastructure is vital to ensure there is no counterattack during the recovery process
- Train employees on phishing and improve on the cybersecurity culture in the organization
Heritage Company, Inc Shuts Down
In October 2019, Heritage Company, a telemarketing company, was hit by a ransomware attack. But unlike the previous two companies, The Heritage Company's CEO, Sandra Franecke, decided to pay the ransom. Heritage paid out hundreds of thousands of dollars and still did not get a decryption key from the hackers that would release their network.
In the end, Heritage shut down due to such heavy financial and data loss that they could never recover from. The closure caused more than 300 employees to lose their jobs.
The mistakes The Heritage Company made in responding to the attack include:
- The CEO and company leaders failed to communicate with their employees that the company was under attack as soon as it happened.
- Without consulting cybersecurity experts, the company paid the ransom and did not recover data even after paying the ransom.
Brookside ENT Forced Retirement
A two-doctor medical practice in Battle Creek, Michigan, suffered the same fate as The Heritage Company in 2019. When the computer virus first entered Brookside ENT's electronic medical record system, it deleted and overwrote medical records, appointments, backups, and bills. The virus created duplicate data to restore the network but required a password to unlock it, which would only be provided after paying a $6,500 ransom.
Dr. John Bizon, 66, and Dr. William Scalf, 64, the founders of Brookside ENT, opted to close the practice and retire one year early instead of paying the ransom.
The Bottom line
Many small and medium-sized businesses are un- or underprepared for a ransomware attack, creating vulnerabilities for hackers to exploit.
Whether it's lack of information or onsite cybersecurity skills, every business can take steps to ensure a basic level of cybersecurity hygiene for their organization. Invest in cybersecurity, ransomware, and phishing training for all your employees.
Best practices include:
- Ensuring operating systems, software, and applications are kept secure and up-to-date.
- Employ MFA
- Ensuring anti-virus and anti-malware solutions update automatically
- Performing regular updates to improve the defensive posture
- Getting a gap assessment
Everyone is at risk; Contact eTrepid to find ways to mitigate yours.